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Description 

[0001] The present invention relates to a device for authenticating user's access rights to resources. 
[0002] Program execution control technologies are known in the field to which the present invention belongs. The 
5 program execution control technologies are technologies to: 

1 . Embed a routine for user authentication during the use of an application program; 

2. Have the routine examine whether the user attempting execution of the application possesses a key for proper 
authentication; and 

10 3. Continue the program only when the existence of the key for authentication is verified, othenwiseto halt execution. 

[0003] By using these technologies, execution of the application program is enabled only for proper users having 
the authentication key. The technologies are commercialized in the software marketing field, two examples being Sen- 
tinelSuperPro (trade mark) from Rainbow Technologies, Inc. and HASP (trade mark) from Aladdin Knowledge Systems, 
15 Ltd. . 

[0004] In the use of program execution control technologies, a user who executes software possesses an authenti- 
cation key as user identification inforiTiation. The authentication key is a key for encryption and is distributed to the 
user by a party who allows use of software, a software vender, for example. The authentication key is securely sealed 
in a memory, or the like, of hardware to prevent duplication, and is delivered to the user using physical means such 

20 as the postal service. The user mounts personal computer/workstation using a designated method. When the user 
starts up the application program and when the execution of the program reaches the user authentication routine, the 
program communicates with the hardware in which the authentication key of the user is embedded. Based on the 
results of the communication, the program identifies the authentication key, and moves the execution to the following 
step upon confirmation of existence of the correct authentication key. If the communication falls and the verification of 

25 the existence of the authentication key is not established, the program stops automatically, discontinuing the execution 
of subsequent steps. 

[0005] Identification of the authentication key by the user authentication routine is executed according to the following 
protocol, for example: 

30 1 . The user authentication routine generates and transmits an appropriate number to the hardware in which the 

key is embedded. 

2. The hardware in which the key is embedded encrypts the number using the embedded authentication key and 
transmits it back to the authentication routine. 

3. The authentication routine determines whether or not the number transmitted back is the number expected 
35 beforehand, or, in other words, the number obtained by encrypting the number with a correct authentication key 

4. If the number transmitted back coincides with the expected number, the execution of the program is continued, 
otherwise the execution is halted. 

5. In this case, communication between the application program and the hardware in which the authentication key 
is embedded must be different for each execution even if it is between the same location in the same application 

40 with the same hardware. 

Othenwise, a user who does not possess the correct authentication key may be able to execute the program by 
recording once the content, of communication during the normal execution process, and by responding to the 
application program according to the recording each time the subsequent program is executed. Such improper 
execution of the application program by replaying the communication content is called a replay attack. 

45 

[0006] In order to prevent a replay attack, in general, a random number is generated and used for each communi- 
cation as the number to be transmitted to the hardware in which the key is embedded 

[0007] Elektronik 41(1992), pages 68 to 74, discloses software protection by using a dongle having a processor 
which decrypts encrypted data supplied from the software to be protected. The dongle key consists of a firm and user 

50 code and is supplied to the decryption algorithm together with a selection code. 

[0008] The present invention has been made in view of the above circumstances and an aspect of the present 
invention is to provide a device for authenticating user's access rights to resources and its method which set both users 
and the protecting side such as application providers free from inconveniences caused by handling of large amount 
of unique information, for example, a lot of authentication keys, and thereby user's access rights are easily and simply 

55 authenticated when the execution control of the program, privacy protection of electronic mails, access control of files 
or computer resources and so forth are carried out. 
[0009] The invention provides a device as defined in claim 1 . 

[0010] With the above constitution, the unique security characteristic information of the device assigned to the pro- 
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tecting side and the unique identifying information of the user are made to be independent of each other. The information 
on actual access rights is represented as proof support information (i.e., an access ticket). The user has the user 
unique identifying information in advance, and on the other hand, a protector, such as a program creator prepares the 
unique security characteristic information, or the counterpart of the unique security characteristic information in terms 
of the public key cryptography, independent of the user unique identifying information held by the user. An access ticket 
is generated based on the user unique identifying information and the unique security characteristic information used 
in creation of the application program or the like. Access tickets are distributed to the users, whereby authentication 
of the user's access rights to resources such as execution control can be performed. Thus complexity occurring in the 
case where both sides of user and protector use the same information for performing authentication can be avoided. 
[0011] Moreover, in the above constitution, at least the second memory means and the response generation means- 
may be confined in the protect means which prevents any data inside from being observed or being tampered with 
from the outside. It may also be possible to implement at least the second memory means and the response generation 
means within a small portable device such as a smart card. 

[001 2] The response generating means may comprise first calculation means and second calculation means, wherein 
the first calculation means executes predetermined calculations to the user unique identifying information stored in the 
second memory means and the proof support information stored in the third memory means to obtain the unique 
security characteristic information as a result, and the second calculation means executes predetermined calculations 
to the challenging data stored in the first memory means and the unique security characteristic information calculated 
by the first calculation means to generate the response as a result of calculation. 

[0013] ' The above-described response generation means may comprise third calculation means, fourth calculation 
means and fifth calculation means. The third calculation means executes predetermined calculations to the challenging 
data stored in the first memory means and the proof support information stored in the third memory means, the fourth . 
calculation means executes predetermined calculations to the challenging data stored in the first memory means and 
the user unique identifying information stored in the second memory means, and the fifth calculation means executes 
predetermined calculations to the results of calculation by the third and fourth calculation means, whereby the response 
is generated. In this case, at least the second memory means and the fourth calculation means can be confined within 
the protect means which prevents any data inside from being observed or being tampered with from the outside. At 
least the second memory means and the fourth calculation means may be implemented within a small portable device 
such as a smart card. 

[0014] The invention furthermore provides a method as defined in claim 47, a computer program product as indicated 
in claim 48 or 49, a control device according to claim 50, and an apparatus as defined in claim 51 . 
[0015] The accompanying drawings, which are incorporated in and constitute a part of this specification illustrate 
embodiment of the invention and, together with the description, serve to explain the objects, advantages and principles 
of the invention. In the drawings: 

Fig. 1 is a block diagram showing an example of the fundamental constitution of the present invention; 

Fig. 2 is a block diagram showing an example of the constitution of the present invention in case that an entire 

device is implemented within a single PC; 

Fig. 3 is a block diagram showing the constitution of a first embodiment of a device for authenticating user's access 
rights to resources according to the present invention; 

Fig. 4 is a flow chart showing functions of means constituting the devices of the first embodiment; 
Fig. 5 is a block diagram showing the constitutions of a verification device and a proving device of a second 
embodiment of the device for authenticating user's access rights to resources according to the present invention; 
Fig. 6 is a flow chart showing functions of means constituting the verification device of the second embodiment; 
Fig. 7 is a block diagram showing a constitutional example of execution means of the verification means of the 
second embodiment; 

Fig. 8 is a flow chart showing functions of the constitutional example of the execution means shown in Fig. 7; 
Fig. 9 is a block diagram showing a second constitutional example of execution means of the verification means 
of the second embodiment; 

Fig. 10 is a flow chart showing functions of the constitutional example of the execution means shown in Fig. 9; 
Fig. 11 is a block diagram showing a third constitutional example of execution means of the verification means of 
the second embodiment; 

Fig. 12 is a flow chart showing functions of the constitutional example of the execution means shown in Fig. 11 ; 
Fig. 13 is a block diagram showing a fourth constitutionar example of execution means of the verification means 
of the second embodiment; 

Fig. 14 is a flow chart showing functions of the constitutional example of the execution means shown in Fig. 13; 
Fig. 15 is a block diagram showing the constitution of a proving device of a third embodiment of the device for 
authenticating user's access rights to resources according to the present invention; 
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Fig. 16 is a flow chart showing functions of means constituting the proving device of the third embodiment; 
Fig. 1 7 is a block diagram showing a constitutional example of a fourth embodiment of the device for authenticating 
user's access rights to resources according to the present invention; 
Fig. 18 is a block diagram showing another constitutional example of the fourth embodiment; 
5 Fig. 1 9 is a flow chart showing functions of means of the constitutional example shown in Fig. 17; 

Fig. 20 is a block diagram showing the constitution of a fifth embodiment of the device for authenticating user's 
access rights to resources according to the present invention; 

Fig. 21 is a flow chart showing functions of means constituting a verification device of the fifth embodiment; 
Fig. 22 is a block diagram showing the constitution of a sixth embodiment of the device for authenticating user's 
10 access rights to resources according to the present invention; 

Fig. 23 is a flow chart showing functions of means constituting devices of the sixth embodiment; 

Fig. 24 is a block diagram showing the constitution of a seventh embodiment of the device for authenticating user's 

access rights to resources according to the present invention; 

Fig. 25 is a flow chart showing functions of means constituting devices of the seventh embodiment; and 
15 Fig. 26 is a block diagram showing a part of constitution of a proving device of ninth and tenth embodiments of 

the device for authenticating user's access rights to resources according to the present invention. 

[0016] At first, an example of the fundamental constitution of the present invention is described. The user authenti- 
cation system of the example can be applied to privacy protection of electronic mails or control of access to files or 

20 computer resources as well as control of execution of applications. 

[0017] In Fig. 1, the user authentication system comprises a verification device 10 and a proving device 11: the 
proving device 11 receives an access ticket (proof support data) from an access ticket generation device 12; the ver- 
ification device 10 executes a verification routine 15; the proving device 11 retains user identifying information 16 and 
the access ticket 1 3 and executes a response generation program 17. . 

25 [0018] The access ticket generation device 12 is installed in the protector side, such as an application provider. The 
access ticket generation device 1 2 generates the access ticket 1 3 based on unique security characteristic information 
of the device 14 and the user identifying information 16 and the access ticket 13 is fonwarded to the user through 
communication or sending of a floppy-diskette or the like to be retained by the proving device 11 of the user. Then the 
verification device 1 0 sends challenging data 1 8 to the proving device 1 1 . The proving device 1 1 generates a response 

30 19 by utilizing the access ticket 13 and the user identifying information 16, and returns it to the verification device 10. 
The verification device 10 verifies the legitimacy of the response based on the challenging data, that is, the verification 
device 1 0 verifies that the response has been generated based on the challenging data and the unique security char- 
acteristic information of the device. 

[0019] If the legitimacy of the response is verified, the access rights of the user is authenticated; accordingly, con- - 

35 tinuation of execution of a program, access to files, and so forth, are permitted. 

[0020] With the above constitution, an example of execution control of an application program is now described. 
[0021 ] In the above constitution, a user of an application program retains only one piece of user identifying information 
1 6. The user identifying information is equivalent to a password in the password authentication and is unique, significant 
information which identifies the user. If it is possible for the user to copy and distribute the user identifying information 

40 16, it will lead to the use of the application program by the user without legitimate access rights; therefore, the user 
identifying information 1 6 is protected by protection means 1 60 so that even the user who is a legitimate owner of the 
user identifying information 1 6 cannot steal it. The protection means 1 60 may be a hardware with a protecting effect 
(hereinafter referred to as tamper- resistant hardware) against theft of the inside conditions by external probes. A method 
of implementation of the tamper-resistant hardware will be described later. 

45 [0022] In addition to the user identifying information 16, the response generation program 17 which executes pre- 
determined computations is provided to the user. The program 17 performs communication with a user authentication 
routine (verification routine 15): on receiving two parameters, namely, the user identifying information 1 6 and the access 
ticket 1 3, the program 1 7 executes computations to arbitrary inputted values to generate the response 1 9 for identifying 
the user. The user. identifying information 16 is used in the course of the computation, and it is required to protect at 

50 least a part of the program 1 7 by the protection means 1 60 since leakage of the user identifying information 1 6 to the 
outside will cause a problem by the above-described reason. 

[0023] Hereinafter, memory means for storing the user identifying information and a part of the program which are 
protected by the protection means 160, device for executing the part of the program (for example, consisting of a 
memory and a MPU) and the protection means 160 are integrally referred to as token (shown by the reference numeral 
55 20 in Fig. 1 ). The token may have portability, like a smart card. 

[0024] Similar to the conventional execution control technologies, the verification routine 15 is set to the application 
program. The verification routine 15 is same as that of the conventional technologies in that it communicates with the 
response generation program 1 7 retained by the user, and continues execution of the program if and only if a returned 
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result (response 18) is correct. Therefore, it is necessary that the program creator knows the method of computing the 
combination of transferred data (challenging data 18) and correct retumed data corresponding thereto (response 19). 
[0025] Some examples of functions of the verification routine 1 5 are explained as follows: 

5 1 . Data to be transferred (challenging data 1 8) and expected returned data (expected value) are embedded in the 

verification routine 15. The verification routine 15 fetches the data to be transferred and transfers it to the user, 
and receives the returned data from the user. Then the verification routine 15 compares the returned data from 
the user with the expected value: if they are identical with each other, the verification routine 1 5 executes the next 
step of the program; if they are not identical, the verification routine 15 halts the execution of the program. 

10- In the case where the returned data is assumed to be a result of encryption of the transferred data in accordance 

with a predetermined encryption algorithm, the unique security characteristic information of the device is an en- 
cryption key. 

2. Data to be transferred (challenging data 18) and -data generated by applying a one-way function to expected 
returned data (expected value) are embedded in the verification routine 15. The verification routine 15 fetches the 

'5 data to be transferred and transfers it to the user, and receives the returned data from the user. Theri the verification 

routine 15 compares data generated by applying the one-way function to the returned data from the user with the 
expected value: if they are identical with each other, the verification routine 15 executes the next step of the pro- 
gram; if they are not identical, the verification routine 15 halts the execution. of the program. 

In the case where the returned data is assumed to be a result of encryption of the transferred data in accordance 

20 with a predetermined encryption algorithm, the unique security characteristic information of the device is an en- 

cryption key. 

3. Protection is provided by encrypting a part of code of the application program in accordance with a predetermined 
encryption algorithm so that execution of the program may be impossible. The verification routine 15 transfers the 
encrypted code to the user and receives returned data from the user, and then replace the received value with the 

25 encrypted code. 

With this constitution, execution of the program may be possible if and only if the returned data is a correct 
decryption of the encrypted code. In this case, the unique security characteristic information is a decryption key 
for decrypting the encrypted code. 

4. Protection is provided by encrypting a part of code of the application program in accordance with a predetermined 
30 encryption algorithm so that execution of the program may be impossible. Moreover, data generated by encrypting 

a decryption key paired with the encryption key used for encrypting the code is embedded as transferred data in 
the verification routine 1 5. The verification routine 1 5 transfers the encrypted decryption key to the user and re- 
ceives returned data from the user, and then decrypts the encrypted code with the value of the received data as 
a decryption key 

35 

[0026] With this constitution, the encrypted code is correctly decrypted if and only if the returned data is a decryption 
key which has been correctly decrypted, and accordingly execution of the program becomes possible. In this case, 
the unique security characteristic information of the device is a decryption key for decrypting the encrypted decryption 
key 

40 [0027] In the conventional execution control technologies, the user identifying information (authentication key of the 
user) is identical with the unique security characteristic information of the device. The conventional response generation 
routine receives the unique security characteristic information and the data transferred from the verification routine as 
the input, and then executes computations thereto for generating data to be returned. 

[0028] By contrast, the present invention is characterized in that the user identifying information 16 and the unique 
45 security characteristic information of the device 14 are independent of each other. In this constitutional example, the 
response generation program 1 7 adds the access ticket 1 3 to the user identifying information 1 6 and the data transferred 
from the verification routine 15 (challenging data 18) as the input, and then executes predetermined computations to 
them for generating the data to be returned (response 19). The constitution has the following properties: 

50 1 . The access ticket 1 3 is the data calculated based on the specific user identifying information 1 6 and the unique 

security characteristic information of the device. 

2. At least from the viewpoint of the computation amount, it is impossible to calculate the unique security charac- 
teristic information from the access ticket 13 without knowing the user identifying information 16. 

3. The response generation program 17 executes computations for generating correct data to be returned if and 
55 only if a correct combination of the user identifying information 1 6 and the access ticket 13. Note that the access 

ticket 13 has been calculated based on the user identifying information 16. 

[0029] With the constitution described so far, the execution control can be carried out by the following steps: the user 
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has the user identifying Information 1 6 in advance; the progrann creator prepares the application program independent 
of the user identifying Information 16 retained by the user; and the program creator generates the access ticket 13 
based on the user identifying information 16 and the unique security characteristic Information of the device 16 used 
in creating the application program and distributes the access ticket 1 3 to the user. 

5 [0030] It may be possible to constitute the user identifying information 1 6 by two pieces of user identifying information 
for distinguishing the information used for preparing the access ticket 1 3 from the information used in a communication 
program by the user. In the most representative example, the user identifying information 16 is made to be a public 
key pair: the public key is published to be used for generating the access ticket; and the individual key is confined 
within the token 20 as user's individual secret information. In this case, it is possible to calculate the access ticket 13 

10 while the user identifying information 16 Is kept secret by calculating the access ticket 13 from the unique security 
characteristic information 14 and the public key of the public key pair. 

First Embodiment 

15 [0031] In a first embodiment, an access ticket t is defined as the relation (1 ). 

(1) t= D-e + (0 (() (n) 

20 [0032] in the following bulleted paragraphs, symbols used in the above relation are described. 

• An integer n is an RSA modulus,. hence, a product of two very large prime numbers p and q (n = pq). 

• (j) (n) denotes the Euler number of n, hence, a product of two integers p-1 and q-1 (^(n) = (p-l) (q-1)). 

• A piece of user identifying information e is an integer allocated to each user. A piece of user identifying information 
25 is unique to a user: a different user identifying information is allocated to a different user. 

• An access-ticket secret key D is a private key of an RSA public key pair. Since the modulus is assumed to be n, 
the relation 2 is derived from the definition. 

30 : (2) gcd (D, ^(n)) = 1 

• In the above, gcd (x, y) denotes the greatest common divisor of two integers x and y. The existence of an integer 
E satisfying the relation (3), which is called an access-ticket public key is derived from the relation (2). 

35 

(3) ED mod (t)(n) = 1 

• 0) is an integer dependent upon both n and e. It is required that a probably different value will be allocated to co if 
at least one of n and e is different. In defining co In a consistent manner, a one-way hash function h may be used. 

40 

(4) co = h(n|e) 

[0033] In the relation (4), n | e denotes the concatenation of the two bit-string representations of n and e. A one way 
45 hash function h is a function having the property that it is extremely difficult to calculate two distinct x and y satisfying 
h(x) = h(y). Known examples of one-way hash functions are the MD2, MD4 and MD5 of RSA Data Securities Inc., and 
the standard SHS (Secure Hash Standard) of the U.S. federal government. 

[0034] Among the above numbers, t, E and n can be open to public without any risk, while the rest of the numbers, 
namely D, e, co, p, q and ({) (n), are to be kept secret to everybody but those who are allowed to generate an access 

50 ticket. Fig. 3 depicts the constitution of the first embodiment, A verification device 10 comprises the followings: an 
access ticket public key storing means 1 01 ; a random number generation means 1 02; a random number storing means 
103; a response storing means 105; a verification means 106; an execution means 107; and an error trapping means 
108. On the other hand, a proving device 11 comprises the followings: a challenging data storing means 111; a first 
calculation means 112; an access ticket storing means 113; a second calculation means 114; a user identifying infor- 

55 mation storing means 115; and a response generation means 116. 

[0035] By the following numbered paragraphs, the function of the means constituting the devices will be described. 

1 . The verification device 10 is invoked by a user. The way to invoke the device varies depending upon how the 
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device is implemented. A few examples are now shown. First, the verification device 10 may be implemented as 
a part of an application program to be installed and executed on a user's PC or workstation. In this case, the user 
may invoke the verification device 1 0 by invoking the application program in ordinary ways. For example, the user 
may click the iconic symbol representing the application program on the computer screen with a pointing device 
such as a mouse, or may use a keyboard. The verification device 10 may be implemented as a program installed 
and executed on a server computer that is connected to a user's PC or workstation by means of computer network. 
In this case, in order to invoke the verification device 10, a user first invokes a communication program installed 
on his/her own PC or workstation: the communication program establishes a connection to the server, and asks 
the server to invoke the verification device 10. When the communication program and the server follow the TCP/ 
I P protocols, for instance, the verification device 1 0 is allocated to a predefined port number on the server computer. 
When the communication program issues a requirement for establishing a connection to the port, inetd, a demon 
program running on the server computer, receives the requirement. After checking which program is allocated to 
the specified port, it finally invokes the verification device 10, and establishes a connection between the verification 
device and the communication program. This way of implementation is very common in networked computer sys- 
tems like Internet. The verification device 10 may be implemented as a program written on a ROM or EEPROM 
within a smart card reader-writer. In this case, the proving device 1 1 is a program installed on an IC chip of a smart 
card; the verification device 10 is invoked whenever a user inserts his/her smart card into the smart card reader- 
writer. 

2. The verification device 1 0 sends challenging data C and a modulus n to the challenging data storing means 1 1 1 
of the proving device 11 . The modulus n is stored in the access-ticket public key storing means 1 01 . On the other 
hand, challenging data C is generated as follows: the random number generation means 1 02 generates a random 
integer r so that r and the modulus n are relatively prime {gcd(r, n) = 1 ); the generated random integer r is stored 
in the random number storing means 103; finally, the random number generation means 102 sets the value of C 
to r. As stated later in more detail, the response which the proving device 11 is to respond to the verification device 
10 is RSA-encryption of r with D as the key and n as the modulus. Since the value of C is identical to the random 
integer r, it varies with occurrence of communication between the verification device 1 0 and the proving device 11 . 
This prevents so-called replay attack from succeeding. 

3. The first calculation means 112 of the proving device 11 calculates an intermediate result R' according to the 
relation (5). An access ticket t to be used is stored in the access ticket storing means 113. 

(5) R' = C* mod n 

4. The second calculation means 114 of the proving device 11 calculates a differential S according to the relation 
(6). A user identifying information e to be used is stored in the user identifying information storing means 115. 

(6) S = C® mod n 

5. Receiving R' and S from the first calculation means 112 and the second calculation means 114, the response 
generation means 116 of the proving device 11 calculates a response R according to the relation (7). 



(7) R = R'Smodn 

45 ' - 

6. The proving device 11 returns the generated response R to the response storing means 105 of the verification 
device 10. 

7. The verification means 106 of the verification device 10 first performs the calculation (8). Both the exponent E 
and the modulus n are stored in the access ticket public key storing means 101 , and the response R is stored in 

50 the response storing means 105. 

(8) R^ mod n 

55 [0036] Finally, the verification means 1 06 examines the relation (9). 

(9) C mod n = R^ mod n 
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[0037] If the relation (9) holds, the verification means invokes the execution means 107. The execution means 107 
provides a user with utilities that he/she wanted to access to. Othenwise, it invokes the error trapping means 1 08. The 
error trapping means 108 may deny user access by terminating the execution. 

5 Second Embodiment 

[0038] A second embodiment to be described is the same as the first embodiment regarding the definition of an 
access ticket t and the function of the proving device. However, the verification device works differently. The difference 
in the roles between challenging data C and a response R causes the difference in the function between the two 

'10 embodiments: in the first embodiment, a response R is encryption of a random challenging data C; in the second 
embodiment, a response R will be decryption of challenging data C which is encryption of some other meaningful data. 
[0039] Fig. 5 depicts the constitution of devices of the second embodiment, and Fig. 6 depicts flow of data. A verifi- 
cation device 10 comprises the following means: an access ticket public key storing means 101; a random number 
generation means 102; a random number storing means 103; a response storing means 105; a randomizing means 

15 121; a challenge seed storing means 122; a de-randomizing means 123; and an execution means 310. A proving 
device 11 comprises the following means: a challenging data storing means 111; a first calculation means 102; an 
access ticket storing means 113; a second calculation means 114; a user identifying Information storing means 115; 
and a response generation means 116. 

[0040] By the following numbered paragraphs, the function of the means constituting the devices will be described 
20 step by step. 

1 . The verification device 1 0 is invoked by a user. 

2. The verification device 10 sends challenging data C and a modulus n to the challenging data storing means 111 
of the proving device 1 1 . The modulus n is stored in the access ticket public key storing means 1 01 . On the other 

25 hand, challenging data C is generated by carrying out the following steps: the random number generating means 

102 generates a random integer r so that r and the modulus n are relatively prime (gcd (r, n) = 1); the random 
integer r is stored In the random number storing means 103; the randomizing means 121 generates challenging 
data C according to the relation (10). 

30 ^ 

(10) C = r''C'modn 

The Integer C is stored in the challenge seed storing means 1 22, and satisfies the relation (1 1 ) for some data K. 

35 

(11) C' = K''modn 

The exponent E (access ticket public key) and the modulus n are both stored in the access ticket public key 
storing means 101. 

^0 The verification device 10 retains encryption C of K instead of K Itself. In fact, C is RSA encryption of K with 

a public key E and a modulus n. This has an advantage in the viewpoint of security: the data K crucial for authen- 
tication procedures never leaks from the verification device 1 0. The randomness of r also plays an important role: 
If r were identical to some secret constant, the challenging data C would be encryption of the data K up to a constant 
coefficient, and therefore the response which the proving device 11 generates would be K up to a constant coef- 

45 ficient; thus, constant r would allow replay attacks since communication between the verification device 10 and 

the proving device 11 would be always identical. In this embodiment, by generating challenging data C so that it 
is dependent on a random number r (see the relation (1 0)), communication between the verification device 1 0 and 
the proving device 11 occurs with variation, and therefore attempts of replay attacks become hopeless. 

3. The first calculation means 112 of the proving device 11 calculates an Intermediate result R' according to the 
50 relation (12). 

(12) R'=C*modn 

55 In course of calculation, the means uses the access ticket t stored in the access ticket storing means 113. 

4. The second calculation means 114 of the proving device 11 calculates a differential S according to the relation 
(13). 
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(13) 



S = C mod n 



In course of calculation, the means uses the user identifying information e stored in the user identifying infor- 
mation storing means 115. 

5. Receiving the intermediate result R' and the differential S from the first calculation means 112 and the second 
calculation means 114, the response generation means 11 6 of the proving device calculates a response R accord- 
ing to the relation (14). 



6. The proving device 11 returns the generated response R to the response storing means 307 of the verification 
device 10. 

7. The de-randomizing means 123 of the verification device 10 calculates K' according to the relation (15). 



[0041] In course of calculation, the means uses the random number r stored in the random number storing means 
103 and the response R stored in the response storing means 105. Note that the values K' and K are identical with 
each other, if and only if the proving device 11 calculated the response R based on a right pair of an access ticket t 
and a user identifying information e. 

[0042] Finally, the de-randomizing means 123 sends K' to the execution means 310, and the execution means 310 
executes predefined procedures using this given K'. The execution means 310 is designed so that it works properly 
only when K' is identical with. K; otherwise it fails to work. 

[0043] The following paragraphs describes several examples of implementation of the execution means 31 0. 

1 . Fig. 7 depicts a first example. A memory means 31 0 a of the execution means 31 0 retains the data K. Receiving 
K' from the de-randomizing means 123, a comparison means 310b directly examines the equality K = K'. If the 
equality does not hold, the execution means 310 suspends its performance immediately. Othenwise, the execution 
means 310 continues its performance and provides users with utilities. This example includes the disadvantage 
caused from the fact that the data K critical for authentication procedures appears as it is in the device: when a 
computer program to be installed and executed on a user's PC or workstation is implemented on the execution 
means 310, it is not impossible for a user to find out the value K by analyzing the code of the application program. 
The value K is crucial, because, if once the user knows the value of K, and further if he/she can predict random 
number sequences to be generated by the random number generation means 102, he/she can construct a device 
simulating the proving device 10 without any of an access ticket and a user identifying information e. In other 
words, anybody could pass the authentication check by the verification device 1 0 with this simulator, whether he/ 
she is authorized or not. 

2. Fig. 9 depicts a second example. In this example, a memory means 310a retains h(K), instead of K, which is a 
value obtained by applying a one-way hash function h to K. A significant property of one-way hash functions is 
that it is computationally impossible to calculate x satisfying y = h(x) given y. Receiving K' from a de-randomizing 
means 1 23, a hashing means 31 Oc calculates h(K') which is the result of applying the one-way hash function h to K'. 

Then, the comparison means 310b examines the identity of this h(K') and the value stored in the memory 
means 310a (= h{K)). Compared with the first example, this example is safer since there is no effective means to 
find out the critical data K: even though a user succeeded in analyzing the code of the program constituting the 
execution means 310, he/she couldn't find out any more than the value of h(K); due to the property of one-way 
hash functions, it is computationally impossible to calculate K given h(K). However, when the execution means 
310 is implemented as a computer program, the comparison means 310b may be represented as an if-clause. If 
the verification device is further assumed to be executed on a user's PC or workstation, a user may have a chance 
to modify the code so that the if-clause shall be always skipped. 

Therefore, the implementation of the this example is not safe enough, in particular, if the execution means 
310 is implemented as a computer program to be executed on a user's PC or workstation. 

3. Fig. 1 1 depicts a third example. This time, protection is applied such that execution of the program of the execution 
means 310 becomes impossible by encrypting a portion or the whole of the code of the program. The encrypted 
code is stored in the challenge seed storing means 122 as a seed C for challenging data C. More precisely, the 
crucial data K is program code to be encrypted, and C is RSA encryption of the code K with a public key E and a 



(14) 



R = R'S mod n 



(15) 



K' = r"^ R mod n 
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modulus n (C = KE mod n). Both E and n are the values stored in the access ticket public key storing means 101 . 
The execution means 31 0 includes a code storing means 31 Od, a code loading means 31 Oe and a code execution 
means 31 Of. The code loading means 31 Oe feeds K', which the code storing means 31 Od received from the de- 
randomizing means 123, to the code execution means 31 Of. Only when K' Is identical with K, the code fed to the 

5 code execution means 31 Of is meaningful as a part of the program of the execution means 310. In the following, 

a more detailed description of the composition is provided. Consider the case where the execution means 310 is 
implemented as a computer program executed on a user's PC or workstation. The code storing means 31 Od is a 
specified region within a memory of a user's PC. 

The code execution means 31 Of comprises the CPU and OS of the PC. The CPU and OS, cooperating with 

10 each other, fetch instructions form a certain predefined region within the memory space (called program region), 

and executes those instructions one by one. Generally speaking, a meaningful chunk of instructions is called a 
program, and a program is located within the program region. The entity of the code loading means 31 Oe is a part 
of the program constituting the execution means 310, and it is to be executed at first when the execution means 
310 is invoked. When invoked, the code loading means 31 Oe orders the code execution means 31 Of to copy the 

15 content stored in the code storing means 31 Od onto a specified area within the program region, and then orders 

the code execution means 31 Of to execute the copied sequence of Instructions by issuing a JMP command, for 
example. 

Thus, since a part or the whole of the code of the program of the execution means 310 is encrypted, and 
further since it is decrypted temporarily only when the verification device 10 and the proving device 11 cooperate 
20 with each other properly, the execution means 31 0 is much safer than in the cases of the preceding two examples: 

even though a user succeeded in analyzing the program, he/she couldn't obtain the missing code K at all; modifying 
the code of the program without the knowledge about K is definitely no use. 

4. Fig. 13 depicts a fourth example. This example is substantially the same as the third example except that K is 
the encryption key used in encrypting code of the program constituting the execution means 310, while K is the 

25 code itself in the previous example. Since the code to be encrypted may be of large size, according to the com- 

position of the third example, the size of K (namely, that of C and C) may be large enough to make the performance 
of the verification device 1 0 and the proving device 1 1 worse. In contrast, according to the composition of the fourth 
example, the size of K (namely, that of C) remains unchanged irrespective of the size of the program code to be 
encrypted: the size of K is determined by the cipher algorithm to be used; if DES (Data Encryption Standard) Is 

30 used, K is always 64 (56) bits long even when the size of the code to be encrypted is measured by Mbyte. 

[0044] The execution means 310 comprises an encrypted code storing means 31 Og, a decryption means 31 Oh, a 
code loading means 31 01, and code execution means 31 Of. Receiving the data K' from the de-randomlzing means 1 23, 
the decryption means 31 Oh decrypts the content stored in the encrypted code storing means 31 Og. In the process of 
35 decryption, K' is used as a decryption key. The code loading means 3101 loads the output of the decryption means 
31 Oh, which is decrypted code if K' is identical with K, onto a specified area within the program region, and then orders 
the execution means 31 Of to execute the loaded code. 

Third Embodiment 

40 

[0045] In a third embodiment, the definition of an access ticket is given as the relation (16). 

(16) t = D+F(n,e) 

45 

[0046] The following bulleted paragraphs illustrate the symbols appearing in the relation (16). 

• An integer n is an RSA modulus, hence, a product of two very large prime numbers p and q (n = pq). 

• ^ (n) denotes the Euler number of n, hence, a product of two integers p-1 and q-1 ((|) (n) = (p-1 ) (q-1 )). 

50 • A user Identifying information e is an integer allocated to each user. The user identifying information e is unique 
to each user: 

• A different user identifying information is allocated to a different user. 

• An access-ticket secret key D Is the private key of an RSA public key pair. Since the assumed modulus is n, D 
55 satisfies the relation (1 7). 

(17) gcd(D, 4) (n)) = 1 
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• In the above, gcd(x, y) denotes the greatest common divisor of two integers x and y. The existence of an integer 
E satisfying the relation (18), which is called an access-ticket public key, is derived form the relation 17. 

5 (18) ED mod (]) (n) = 1 

• A two variable function F{x, y) is an arbitrary collision-free function. Practically, a collision-free function may be 
constructed using a one-way hash function h as the relation (19). 

10 

(19) F(x,y) = h(x|y) 

[0047] Figs. 15 and 16 are for depicting this embodiment: Fig. 15 depicts the constitution of the devices of this 
embodiment; Fig. 1 6 depicts flow of data. 

15 [0048] In Fig. 1 5, a proving device 1 1 comprises a challenging data storing means 1 1 1 , a first calculation means 1 1 2, 
an access ticket storing means 1 1 3, a second calculation means 1 1 4, a user identifying information storing means 115, 
a response generation means 1 1 6, and an exponent generation means 1 30. A verification device 1 0 in this embodiment 
may be identical with that in any of the first embodiment (shown in Fig. 3) or the second embodiment (shown in Fig. 5). 
[0049] By the following numbered paragraphs, the function of the means constituting the devices will be described 

20 step by step. 

1 . The verification device 1 0 is invoked by a user. 

2. The verification device 10 sends challenging data C and a modulus n to the challenging data storing means 111 
of the proving device 11. The modulus n is stored in the access ticket public key storing means 101, and the 

25 challenging data C is generated in one of the manners defined in the first embodiment or the second embodiment: 

C is identical with either r^ mod n or r^C mod n. 

3. The first calculation means 112 of the proving device 11 calculates an intermediate result R' according to the 
relation (20). 

An access ticket t to be used is stored in the access ticket storing means 113. 

30 

(20) R' = mod n 

4. The exponent generation means 130 calculates F(n, e) by applying the collision-free function F to the modulus 
35 n, stored in the challenging data storing means 111, and the user identifying information e, stored in the user 

identifying information storing means 115. 

(21) F(n,e) 

40 

5. Receiving the result from the exponent generation means 1 30, the second calculation means 1 1 4 of the proving 
device 11 calculates a differential S according to the relation (22). 



(22) S = C'"^"'*''modn 

6. Receiving R' and S from the first calculation means 112 and the second calculation means 114, the response 
generation means 116 of the proving device calculates a response R according to the relation (23). 

(23) R = R'S"'' mod n 

In the relation (23), S'"" denotes the reciprocal of S under the modulus n. Hence, S and S'"" satisfy the relation 
(24). 

(24) SS""" mod n = 1 
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7. The proving device 11 returns the generated response R to the response storing means 105 of the verification 
device 10. 

8. The verification device 10 examines the response received from the proving device 11. 
Fourth Embodiment 

[0050] In a fourth embodiment, a proving device 11 comprises a computer program executed on a user's PC or 
workstation, a smart card or PC card (PCMCIA card) attachable to the user's PC or workstation, and a program executed 
on this smart card or PC card. 

[0051] As is obvious from the explanation of the former three embodiments, a user identifying Information e, stored 
in a user identifying information storing means 115, must be kept secret to others. Furthermore, observing process of 
execution of a second calculation means 114, which needs e as an input to itself, may lead to leak of e. The same 
situation applies to an exponent generation means 130. Consequently, in practical use, the user identifying information 
storing means 115. the second calculation means 114 and the exponent generation means 130 should be protected 
by some means against attempts to pry out some crucial secret out of them. 

[0052] One solution is confining the crucial part of the proving device 11 within hardware equipped with function to 
prevent its inside from being observed or tampered with by unauthorized means. Generally, such hardware is called 
tamper-resistant hardware. 

[0053] In creating the tamper-resistant hardware, it is possible to use the technology disclosed in Patent Number 
1,863,953, Patent Number 1,860,463 or Japanese Laid-Open Patent Publication 3-100753, for example. In Patent 
Number 1 ,863,953, an enclosure composed of a plurality of cards having multi-layered conductive patterns is provided 
surrounding an information memory medium. Memory information is destroyed when the conductive pattern which is 
detected differs from an expected pattern. 

[0054] In Patent Number 1,860,463, a detection circuit composed of an Integration circuit or the like is provided 
surrounding an information memory medium in addition to a conductive winding being formed, and through this, when 
there is infiltration to the electronic circuit region, fluctuations in electromagnetic energy are detected and memory 
information is destroyed. 

[0055] In Japanese Laid-Open Patent Publication 3-100753, an optical detector is provided within hardware, and 
the optical detector detects external light which enters when a force is applied which destroys the hardware or punctures 
the hardware, and a memory destruction device resets memory information. 

[0056] Further, choosing tamper-resistant hardware with portability such as a smart card or PC card may provide 
users with additional merits. Among information dealt with by a proving device 11, only an access ticket and a user 
identifying information are unique to an individual user. Hence, for example, it may be useful to confine a user identifying 
Information storing means 115, access ticket storing means 113, a second calculation means 114 and exponent gen- 
eration means 130 within a smart card or PC card, and implement the rest of the proving device 10 as a program to 
be executed on an arbitrary PC or workstation: a user can use an arbitrary PC or workstation, assuming that the 
program is installed on it, as his/her proving device only by inserting his/her own smart card or PC card into the computer. 
[0057] Fig. 1 7 depicts constitution of a proving deyice 1 1 of the first and second embodiments when a user identifying 
Information storing means 115 and a second calculation means 114 are confined within a smart card. 
[0058] Fig. 1 8 depicts constitution of a proving device 1 1 of the third embodiment when a exponent generation means 
130 in addition to a user Identifying information storing means 114 and a second calculation means 114 is confined 
within a smart card. 

[0059] For both Figs. 17 and 18, a card-side l/F means 141 within a smart card is an interface to a host computer 
for communication between a host computer and the smart card. More practically, the card-side l/F means 141 com- 
prises buffer memory and a communication program. 

[0060] A host-side l/F means 1 40, which is a part of a host computer, is the counter part of the card-side l/F means 
141 . Both l/F means, cooperating with each other, transfer messages from the host computer to the smart card, and 
vice versa. 

[0061] The following numbered paragraphs describe the function of the means constituting the devices. 

1 . The verification device 1 0 is invoked by a user. 

2. The verification device 10 sends challenging data C and a modulus n stored in the access ticket public key 
storing means 101 to the. challenging data storing means 111 of the proving device 11 . 

3. The host-side l/F means 140 of the proving device 10 sends the challenging data C and the modulus n to the 
card-side l/F means 141 within the smart card. 

4. The access ticket searching means 1 42 retrieves an access ticket t corresponding to the modulus n that is stored 
In the challenging data storing means 1 1 1 . As shown before, in any of the former three embodiments, the definition 
of an access ticket t involves a modulus n (t = D - e + co <{) (n) or t = D + F(n, e)). In the access ticket storing means 
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113, zero or more access ticket are stored, and each access ticket is indexed with the modulus that was used in 
generating the access ticket. 

5. The first calculation means 112 of the proving device 11 calculates an intermediate result R' according to the 
relation (25), 

5 An access ticket t is stored in the access ticket storing means 113. 

(25) R' = C* mod n 

10 6. The host-side l/F means 1 40 issues a requirement for a differential S to the card-side l/F means 1 41 . A response 

which the host-side l/F means 140 receives is a- differential S of one of the following forms: if the access ticket t 
and the means within the smart card were implemented in the manner of the first and second embodiments, the 
differential S satisfies the relation (26); if the access ticket t and the means within the smart card were implemented 
in the manner of the third embodiment, the differential S satisfies the relation (27). 

15 

(26) S = mod n 

20 (27) S = C''*"'®' modn 

7. The response generation means 116 of the proving device 11 calculates a response R according to either the 
relation (28) or (29): if the access ticket t and the means within the smart card were implemented in the manner 
of the first and second embodiments, the relation (28) shall be applied; if the access ticket t and the means within 

25 the smart card were implemented in the manner of the third embodiment, the relation (29) shall be applied. 

(28) R = R'Smodn 

-1 ' 
(29) R = R'S mod n 

8. The proving device 11 returns the generated response R to the response storing means 307 of the verification 
device 10. 

35 

[0062] In this embodiment, it is possible to calculate the intermediate result R' and the differential S concurrently, 
because the former is calculated within the host computer and the latter is within the smart card. Obviously, this con- 
current calculation reduces the total time which the proving device 11 needs for calculating a response to a received 
challenging data. 

40 [0063] Further, in this embodiment, the access ticket storing means 113 may retain more than one access tickets, 
and the access ticket searching means 142 retrieves an appropriate access ticket using a modulus issued by the 
verification device 10 as a key for retrieval. Basically, different verification device, which may be embedded within a 
different application program or server program, should assume a different modulus. Therefore, a user who want to 
access to more than one application programs or server programs is obliged to have a number of access tickets. 

45 [0064] The stated function of the access ticket searching means 142 would release a user from paraphernalja of 
selecting a correct access ticket by himself. 

Fifth Embodiment 

50 [0065] In a fifth embodiment, the Pohlig-Heilman asymmetric key cryptography is used instead of the RSA public 
key cryptography. 

[0066] In this embodiment, the definition of an access ticket t is given as the relation (30). 
55 (30) t = D + F(p.e) 

[0067] The following bulleted paragraphs illustrate the symbols appearing in the relation (30). 
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• An integer p is a very large prime number. 

• A user identifying information e is an integer allocated to each user. The user identifying Information e is unique 
to an individual user: a different user identifying information is allocated to a different user. 

• An access ticket secret key D is one component of a Pohlig-Hellman asymmetric key pair. Since the assumed 
modulus is p, D satisfies the relation (31). 

(31) gcd(D,p-1) = 1 

[0068] In the above, gcd(x, y) denotes the greatest common divisor of two integers x and y. The existence of an 
integer E satisfying the relation (32), which is called an access-ticket public key, is derived from the relation (31). 

(32) ED mod p-1 = 1 

• A two variable function F(x, y) is an arbitrary collision-free function. Practically, a collision-free function may be 
constructed using a one-way hash function h as the relation (33). 

(33) F(x, y) = h(x I y) 

[0069] Figs. 20 and 21 are for depicting this embodiment: Fig. 20 depicts the constitution of the devices of this 
embodiment; Fig. 21 depicts flow of data. In Fig. 20, a proving device 41 comprises the following means: a challenging 
data storing means 41 1 ; afirst calculation means 41 2; an access ticket storing means 41 3; a second calculation means 
41 4; a user identifying information storing means 41 5; a response generation means 41 6; and an exponent generation 
means 430. On the other hand, a verification device 40 comprises the following means: a key storing means 401 ; a 
random number generation means 402; a random number storing means 403; a response storing means 405; a ran- 
domizing means 421 ; a challenging seed storing means 422; a de-randomizing means 423; and an execution means 
310. 

[0070] By the following numbered paragraphs, the function of the means constituting the devices will be described 
step by step. 

1 . The verification device 40 is invoked by a user. 

2. The verification device 40 sends challenging data C and a modulus p to the challenging data storing means 41 1 
of the proving device 41 . The modulus p is stored in the key storing means 401 . In this embodiment, the challenging 
data C is assumed to be generated in a manner similar to that in the second embodiment. However, it is easy to 
construct another embodiment such that challenging data C is generated in a manner similar to that in the first 
embodiment. The challenging data C in this embodiment is generated by carrying out the following steps: the 
random number generating means 402 generates a random integer r so that r and the modulus p are relatively 
prime (gcd(r, p) = 1); the random integer r is stored in the random number storing means 403; and the randomizing 
means 121 generates challenging data C according to the relation (34). 

(34) C = r^C'modp 

The integer C is stored in the challenge seed storing means 422, and satisfies the relation (35) for some data K. 

(35) C = mod p 

The exponent E (access ticket public key) and the modulus p are both stored in the key storing means 401 . 

3. The first calculation means 412 of the proving device 41 calculates an intermediate result R' according to the 
relation 36. 

An access ticket t to be used is stored in the access ticket storing means 113. 



(36) R' = C* mod p 
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4. The exponent generation means 430 calculates F(p, e) by applying the collision-free function F to the nfiodulus 
p, stored in the challenging data storing means 111, and the user identifying information e, stored in the user 
identifying information storing means 415. 

(37) F(p,.e) 

5. Receiving the result from the exponent generation means 430, the second calculation means 41 4 of the proving 
device 41 calculates a differential S according to the relation (38). 

10 

(38) S = C''*P'®^ modp . 

6. Receiving R' and S from the first calculation means 412 and the second calculation means 414, the response 
15 generation means 416 of the proving device 41 calculates a response R according to the relation (39). 

(39) R = R'S"^ mod p 

20 In the relation (39), S"'' denotes the reciprocal of S under the modulus p. Hence, S and S"'' satisfy the relation 

. (40). 

(40) SS'"* mod p = 1 

25 

7. The proving device 41 returns the generated response R to the response storing means 405 of the verification 
device 40. 

8. The de-randomizing means 423 of the verification device 40 calculates K' according to the relation (41). 

(41) K' = r'Rmodp 

[0071] In course of calculation, the means uses the random number r stored in the random number storing means 
403 and the response R stored in the response storing means 405. 

35 

Sixth Embodiment 

[0072] A sixth embodiment is substantially similar to the third embodiment except that the EIGamal public key cryp- 
tography is used this time instead of the RSA public key cryptgraphy. In this embodiment, the definition of an access 
40 ticket t is given as the relation (42). 

(42) t = X + F(p. e) 

45 [0073] The following bulleted paragraphs illustrate the symbols appearing in the relation (42). 

• An integer p is a very large prime number. 

• A user identifying information e is an integer allocated to each user. The user identifying information is unique to 
an individual user: a different user identifying information is allocated to a different user. 

50 • Let (X, Y) be an arbitrary EIGamal asymmetric key pair assuming p is the modulus. Therefore the relation (43) is 
satisfied. 

(43) Y = mod p 

55 

[0074] In the relation (43), G denotes an integer representing a generator of the multiplicative group of the finite field 
of order p. 
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• Equivatently, G satisfies the relations (44) and (45). 

(44) G > 0 



(45) min { x>0 | G^ = 1 mod p} = p - 1 

• X is called an access ticket secret key, while Y Is called an access ticket public key. 

• A two variable function F(x, y) is an arbitrary collision-free function. Practically, a collision-free function may be 
constructed using a one-way hash function h as the relation (46). 

(46) F(x,y) = h(x|y) 

[0075] Figs. 22 and 23 are for depicting this embodiment: Fig. 22 depicts the constitution of the devices of this 
embodiment; Fig. 23 depicts flow of data. 

[0076] In Fig. 22, a proving device 51 comprises the following means: a challenging data storing means 511 ; a first 
calculation means 512; an access ticket storing means 513; a second calculation means 514; a user identifying infor- 
mation storing means 515; a response generation means 516; and an exponent generation means 530. On the other 
hand, a verification device 50 comprises the following means: an access ticket public key storing means 501 ; a random 
number generation means 502; a random number storing means 503; a response storing means 505; a randomizing 
means 521; a challenge seed storing means 522; a de-randomizing means 523; and an execution means 310. 
[0077] By the following numbered paragraphs, the function of the means constituting the devices will be described 
step by step. 

1 . The verification device 50 is invoked by a user. 

2. The verification device 50 sends a pair (u, C) of challenging data and a modulus p to the challenging data storing 
means 511 of the proving device 51 . The modulus p is stored In the access ticket public key storing means 501 . 
On the other hand, the challenging data u and G is generated as follows. The first component u is stored in the 
challenge seed storing means 522, and satisfies the relation (47) for some secret random number z. 

(47). u = G^modp 

In the challenge seed storing means 522, one more seed C' is stored. C' satisfies the relation (48) for some , 
crucial data K. 

(48) C' = Y^Kmodp 

Using this C as a seed, the other component C is generated as follows. The random number generating means 
502 generates a random integer r so that r and the modulus p are relatively prime (gcd(r, p) = 1); the random 
Integer r is stored in the random number storing means 503; the randomizing means 521 generates challenging 
data C according to the relation (49). 

(49) C = rC' modp 

3. The first calculation means 512 of the proving device 51 calculates an intermediate result S according to the 
relation (50). 

An access ticket t to be used is stored in the access ticket storing means 513. 

(50) S = u* mod p 

4. The exponent generation means 530 calculates F(p, e) by applying the collision-free function F to the modulus 
p, stored in the challenging data storing means 511, and the user identifying information e, stored in the user 
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identifying infornnation storing means 515. 

(51) F(p,e) 

5 

5. Receiving the result from the exponent generation means 530, the second calculation means 51 4 of the proving 
device 51 calculates a differential S' according to the relation (52). 

10 (52) S' = u^*P'®* modp 

6. Receiving S and S' from the first calculation means 512 and the second calculation means 514, the response 
generation means 516 of the proving device 51 calculates a response R according to the relation (53). 

-1 

(53) R = S S'Cmodp 
In the relation (53), S-^ denotes the reciprocal of S over the modulus p. Hence, S and S""" satisfy the relation (54). 

(54) SS ' mod p = 1 

7. The proving device 51 returns the generated response R to the response storing means 505 of the verification 
device 50. 

25 8. The de-randomizing means 523 of the verification device 50 calculates K' according to the relation (55). 

(55) K' = r'^Rmodp 

30 [0078] In course of calculation, the means uses the random number r stored in the random number storing means 
503 and the response R stored in the response storing means 505. 

[0079] The straightfonA^ard implementation of the above constitution would involve the following problem: use of a 
common pair of seeds for challenging data (u, C) for more than one occurrences of authentication allows an attacker 
to construct a device which emulates the proving device 11 without the user Identifying information or the access ticket. 

35 To construct such an emulator, H = RC-1 mod p is recorded first where C is the challenging data at the first occurrence 
of authentication and R is the response to C calculated by the proving device 11 . The emulator retains this H instead 
of the user identifying information e and the access ticket t, and on arbitrary input (u, C) issued by the verification device 
1 0, returns to a response R calculated according to the relation R = HC mod p. Thus, the verification device 1 0 should 
have pairs of seeds (u^, C) as many as necessary, and should use distinct pair for distinct occurrence of authentication 

40 (Note that k for u = mod p is a random number). 

Seventh Embodiment 

[0080] A seventh embodiment exploits the EIGamal signature rather than the RSA public key cryptography in the 
45 first three embodiments or the EIGamal public key cryptography in the sixth embodiment. 
[0081] In this embodiment, the definition of an access ticket t is given as the relation (56). 

(56) t = X + F(p, e) 

50 

[0082] The following bulleted paragraphs illustrate the symbols appearing in the relation (56). 

• An integer p Is a very large prime number. 

• A user identifying information e is an integer allocated to each user. The user identifying information e is unique 
55 to an individual user: a different user identifying information is allocated to a different user. 

• Let (X, Y) be an arbitrary EIGamal asymmetric key pair assuming p Is the modulus. Therefore the relation (57) is 
satisfied. 
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(57) Y = G^modp 

[0083] In the relation (57), G denotes an integer representing a generator of the multiplicative group of the finite field 
5 of order p. 

[0084] Equivalently, an integer G satisfies the relations (58) and (59). 

(58) G > 0 

10 

(59) min { x>0 | G^ = 1 mod p} = p - 1 
[0085] X is called an access ticket secret key, while Y is called an access ticket public key. 

15 

• A two variable function F(x, y) is an arbitrary collision-free function. Practically, a collision-free function may be 
constructed using a one-way hash function h as the relation (60) shows. 

(60) F(x.y) = h(x|y) 

[0086] Figs. 24 and 25 are for depicting this embodiment: Fig. 24 depicts the constitution of the devices of this 
embodiment; Fig. 25 depicts flow of data. 

[0087] In Fig. 24, a proving device 61 comprises the following means: a challenging data storing means 611; a 
random number generation means 612; a first calculation means 613; a second calculation means 614; an access 
ticket storing means 615; and a user identifying information storing means 616. On the other hand, verification device 
60 comprises the following means: an access ticket public key storing means 601 ; a random number generation means 
602; a random number storing means 603; a response storing means 605; a verification means 606; a execution means 
607; and an error trapping means 608. 

[0088] By the following numbered paragraphs, the function of the means constituting the devices will be described 
step by step. 

1 . The verification device 60 is invoked by a user. 

2. The verification device 60 sends challenging data C, a modulus p and a generator G to the challenging data 
35 storing means 611 of the proving device 61 . The modulus p and the generator G are stored in the access ticket 

public key storing means 601. On the other hand, the challenging data u and C are generated as follows: the 
random number generation means 602 generates a random integer r so that r and the modulus n are relatively 
prime (gcd(r, n) = 1); the generated random integer r is stored in the random number storing means 603; finally, 
the random number generation means 602 sets the value of 0 to r. As stated later in more detail, the response 
40 which the proving device 61 is to respond to the verification device 60 is EIGamal-signature of r with X as the 

signature key and p as the modulus. 

3. The random number generation means 612 of the proving device 61 generates a random integer k so that k 
and p are relatively prime (gcd(k, p) = 1). Receiving the random integer k from the random number generation 
means 61 2 and the modulus p and the generator G from the challenging data storing means 61 1 , the first calculation 

45 means 61 3 calculates a first component R of a response according to the relation (61 ). 

(61) R = G''modp 

50 Concurrently, the second calculation means 614 calculates a second component S of a response according 

to the relation (62). 

(62) S = (C - R (t - F(p, e)))k""' mod p - 1 

55 

The access ticket t is stored in the access ticket storing means 615, and the modulus p and the challenging 
data C are stored in the challenging data storing means 611 . 

4. The proving device 61 returns the generated response R to the response storing means 605 of the verification 
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device 60. 

5. The verification means 606 of the verification device 60 examines the relation (63). . 

5 (63) G' = Y^R® mod p 

The random integer r is stored in the random number storing means 603; the response pair (R, S) is stored in the 
response storing means 605; the modulus p, the access ticket public key Y and the generator G are all stored in 
the access ticket public key storing means 601 . 

10 

Eighth Embodiment 

[0089] An eighth embodiment provides an example of specification for ways how to generate access tickets safely. 
[0090] In any case of the previous embodiments, access tickets are calculated as output of a predefined function on 
15 input of specific secret information, namely user identifying information and access ticket secret keys. Since leak of 
that secret information threatens the safety of the entire scheme of authentication, a safe device may be necessary in 
generating access tickets. 

[0091] Such a device is required to provide the function which absolutely prevents leakage of the secret Information 
contained within it or results of calculations carried out within it. 

20 [0092] One of the simplest ways to constitute such a safe device is to implement services of generating and issuing 
access ticket to users on an isolated computer kept safe from any attempts at illegal accesses by users: in order to' 
protect that server computer against physical accesses by users, the computer should be placed in a room entry into 
which is severely controlled; further, if the server computer is networked with users' PCs and access tickets are issued 
to users on network, the threat of attacks via network should be taken into account; in protecting the server computer 

25 from those network attacks, the firewall technology (for details see "Building Internet Firewalls" by D. Brent Chapman 
and Elizabeth D. Zwicky, O'Reilly & Associates, Inc.) may be useful. 

[0093] As shown in the previous embodiments, an access ticket is generated so that only the user to whom the ticket 
is issued can use it. Speaking more accurately, a user may succeed in authentication procedure between a verification 
device and a proving device if and only if he is able to feed to the proving device both an access ticket and user 

30 identifying information based on which the access ticket has been generated. 

[0094] Moreover, access tickets stated in the previous embodiments satisfy a stricter standard of safety: there is no 
way to forge an access ticket or to construct a device which emulates the proving device even though an attacker is 
assumed to be able to collect an arbitrary number of access tickets issued by legitimate access ticket issuers. 
[0095] The fact that access ticket satisfies the above standard implies that access tickets are safe enough to be 

35 conveyed to users by relatively insecure means like electronic mails on Internet. 

Ninth Embodiment 

[0096] A ninth embodiment uses a composition method for an access ticket and user identifying information differing 
40 from those of the previous embodiments: this method is different from those of the previous embodiments in that the 
public information associated with user identifying information is used instead of the user identifying information itself 
in generating an access ticket. 

[0097] Therefore, according to the method stated below, a safe access ticket issuing server stated in the eighth 
embodiment is not necessary: a user is allowed to generate an access ticket with a program executed on his own PC 
45 or workstation. That program doesn't contain any secret information or any secret algorithm. 

[0098] The identifying information of a user U is the private key dj of an RSA public key pair. By (ey. ny), the public 
key corresponding to the private key 6^ is denoted. Hence, ny = pyQu for two distinct large prime numbers py and py, 
and dy and ey are integers determined so as to satisfy the relations (64). 

50 

1 < do < (pu - 1) (qu - 1) 
(64) 1 < eu < (Pu - 1) (qu - 1) 

eudu = 1 mod (pu - 1) (qu - 1) 

55 

[0099] Hereafter, the condition that ny is at least as large as a constant N common to all users is further assumed. 
[0100] An access ticket for a user U is composed as follows: the public key (E, n) of an RSA public key pair is taken 
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to be the public key of the access ticket to be generated; the private key D which is paired with this public key (E, n) 
is taken to be the secret key of the access ticket; when the prime factorization of n is n = pq, the relations 65 is 
established; finally, the access ticket t^ is defined by the relation (66). 

^ (65) 1 ^ D < N 

DE^I mod(p-1)(q-1) 



(66) ty = D (jnnodnj 

[0101] In the above composition, the unique security characteristic information for authentication process is the pri- 
vate key D. Same as the cases in the previous embodiments, a user succeeds in authentication procedures if and only 
if he is able to prove that he has means to calculate a right response to challenging data issued to him by a verification 
device: the calculated response is right only when it Is calculated based on the unique security characteristic information 
D. 

[0102] The composition method presented in this embodiment is characterized by the property that an access ticket 
is encryption of the unique security characteristic information D and the user identifying information. is the unique de- 
cryption key to obtain D from the access ticket. In addition, since the user identifying information is the private key of 
an RSA key pair, anybody who is allowed to know the public key paired with the private key can generate an access 
ticket for the user at will. 

[0103] Hereafter, the device composition and operation of the proving device 71 are described with reference to Fig. 
26. 

1 . A verification device 1 0 sends challenging data C to a challenging data storing means 711 of a proving device 71 . 

2. A decryption key generation means 712 of the proving device 71 acquires user identifying information du which 
is stored in a user identifying information storing means 715 and an access ticket ty which is stored in an access 
ticket storing means 713, and then calculates D' according to the relation (67). 

(67) D' = tu^^ mod ny 

3. On input of D' calculated by the decryption key generation means 712 and the challenging data C stored in the 
35 challenging data storing means 711, a response generation means 714 of the proving device 71 calculates a 

response R according to the relation (68). The calculated response R is returned to the verification device 10. 

(68) R = C°' mod n 

40 

4. The verification device 1 0 verifies the legitimacy of the response R. 

[0104] The access ticket secret key D in the definition of the access ticket ty = D®u mod ny must be kept secret to 
the user U. Therefore, the user identifying information storing means 713, the decryption key generation means 712 
45 and the response generation means 714 are to be incorporated in a defense means 760 which is a tamper-resistant 
hardware. 

[0105] The same as the cases of the previous embodiments, the verification device authenticates access rights of 
the user if and only if he has the right pair of the ticket ty and the user identifying information e. 

50 Tenth Embodiment 

[01 06] A tenth embodiment is substantially the same as the ninth embodiment, except that a response R is calculated 
using a symmetric key cipher Instead of using the RSA public key cryptography as in the ninth embodiment and an 
access ticket is RSA-encryption of the decryption key (same as the encryption key) D of the symmetric key cipher. As 
55 the encryption key to generate the access ticket, the public key (ey, ny) and the RSA algorithm is used. 

[0107] When the encryption function of the symmetric key encryption is expressed as Encrypt (key plain message: 
the output of this function being the cipher message of the plain message which is the second argument of the function) 
and the decryption function is expressed as Decrypt (key cipher message: the output being the plain message corre- 
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spending to the cipher message which is the second argument of the function), the challenging data C is defined by 
relation (69). 

(69) C = Encrypt (D, K) 
[0108] Furthermore, the access ticket tU is defined by the relation (70). 

(70) tu = D®^ mod Hu 

[0109] Hereafter, the operation of the proving device 11 is described with reference to Fig. 26. 

1 . A verification device 1 0 sends challenging data C to a challenging data storing means 711. 

2. A decryption key generation means 71 2 of the proving device 1 1 acquires user identifying Information dy which 
is stored in a user identifying information storing means 71 5 and an access ticket ty which Is stored in an access 
ticket storing means 713, and then calculates D' according to the relation (71). 

(71) D'=tu^^modnu 

3. On input of D' calculated by the decryption key generation means 712 and the challenging data C stored in the 
challenging data storing means 711, a response generation means 714 of the proving device 11 calculates a 
response R according to the relation (72). The calculated response R is sent back to the verification device 10. 

(72) R = Decrypt (D' C) 

4. The verification device 1 0 verifies the legitimacy of the response R. 

[0110] The foregoing description of preferred embodiments of this invention has been presented for purposes of 
illustration and description. It is not intended to be exhaustive or to, limit the invention to the precise form disclosed, 
and modifications and variations are possible in light of the above teachings or may be acquired from practice of the 
invention. The embodiments were chosen and described in order to explain the principles of the invention and its 
practical application to enable one skilled in the art to utilize the invention in various embodiments and with various 
modifications as are suited to the particular use contemplated. It is intended that the scope of the invention be defined 
by the claims appended hereto. 



Claims 

1. A device for authenticating user's access rights to resources comprising: 

first memory means (111) for storing challenging data (18); 

second memory means (115) for storing user unique identifying information (16); 

third memory means (113) for storing proof support information (13) which is a result of executing predeter- 
mined computations to the user unique identifying information (16) and unique security characteristic infor- 
mation (14) of the device; 

response generation means (116) for generating a response (19) from the challenging data (18) stored in the 
first memory means (111), the user unique identifying information (16) stored in the second memory means 
(115), and the proof support information (13) stored in the third memory means (113); and 
verification means (106) for verifying the legitimacy of the response (19) by verifying that the response (19), 
the challenging data (1 8) and the unique security characteristic information (1 4) of the device satisfy a specific 
predefined relation. 

2. The device for authenticating user's access rights to resources of claim 1 further comprising: 

protect means (160) for preventing any data inside from being observed or being tampered with from the 
outside, at least confining the second memory means (115) and the response generation means (116). 
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3. The device for authenticating user's access rights to resources of claim 1 , wherein 

at least the second memory means (115) and the response generation means (116) are implemented within 
a small portable device such as a smart card. 

4. The device for authenticating user's access rights to resources of any of claims 1 through 3, wherein 

the response generation means (116) comprises: 

first calculation means (712) for replaying the unique security characteristic information (14) of the device by 
executing predetermined calculations to the user unique identifying information (1 6) stored in the second mem- 
ory means (115) and the proof support information (13) stored in the third memory means (113); and 
second calculation means (714) for generating a response by executing predetermined calculations to the 
challenging data (18) stored in the first memory means (111) and the unique security characteristic information 
(14) of the device replayed by the first calculation means (712). 

5. The device for authenticating user's access rights to resources of any of claims 1 through 3, wherein 

the response generation means (116) comprises: 

third calculation means (112) for generating first intermediate information by executing predetermined calcu- 
lations to the challenging data stored in the first memory means and the proof support information stored in 
the third memory means; 

fourth calculation means (114) for generating second intermediate information by executing predetermined 
calculations to the challenging data (1 8) stored in the first memory means (111) and the user unique identifying 
information (16) stored in the second memory means (115); and 

fifth calculation means (116) for generating a response by executing predetermined calculations to the first 
intermediate information generated by the third calculation means (112) and the second intermediate infor- 
mation generated by the fourth calculation means (114). 

6. The device for authenticating user's access rights to resources of claim 5, further comprising: 

protect means (160) for preventing any data inside from being observed or being tampered with from the 
outside, at least confining the second memory means (115) and the fourth calculation means (114). 

7. The device for authenticating user's access rights to resources of claim 5, wherein 

at least the second memory means (115) and the fourth calculation means (114) are implemented within a 
portable device such as a smart card. 

8. The device for authenticating user's access rights to resources of any of claims 1 through 7, wherein 

the unique security characteristic information (14) of the device is a decryption key of a cipher function, 
the challenging data (18) is encryption of information using the cipher function with the encryption key corre- 
sponding to the decryption key, and 

the verification means (1 06) verifies the legitimacy of the response by verifying that the response (1 9) gener- 
ated by the response generation means (116) is identical with decryption of the challenging data with the 
decryption key. 

9. The device for authenticating user's access rights to resources of any of claims 1 through 7, wherein 

the unique security characteristic information (14) of the device is an encryption key of a cipher function, and 
the verification means (1 06) verifies the legitimacy of the response by verifying that the response (1 9) gener- 
ated by the response generation means (116) is identical with encryption of the challenging data with the 
encryption key. 

10. The device for authenticating user's access rights to resources of any of claims 1 through 7, wherein 

the characteristic information (14) of the device is the signature key of a digital signature function, and 
the verification means (106) verifies the legitimacy of the response by verifying that the response (1 9) gener- 
ated by the response generation means (116) is identical with the digital signature for the challenging data, 
which is calculated with the signature key. 



22 



EP 0 792 044 B1 



11. The device for authenticating user's access rights to resources of claim 8 or 9, wherein 

the cipher function is of the asymmetric key cryptography, and 

the unique security characteristic information (1 4) of the device is one component of the key pair of the cipher 
function. 

12. The device for authenticating user's access rights to resources of claim 11 , wherein 

the cipher function is of the public key cryptography, and 

the unique security characteristic information (14) of the device is the private key of the public key pair of the 
cipher function. 

13. The device for authenticating user's access rights to resources of claim 8 or 9, wherein 

the cipher function is of the symmetric key cryptography, and 

the unique security characteristic information (14) of the device is the common key of the cipher function. 

14. The device for authenticating user's access rights to resources of any of claims 1 through 13, further comprising: 

a proving device (11) having the fjrst memory means (1 1 1 ), the second memory means (1 1 5), the third memory 
means (113) and the response generation means (116); and 

a verification device (10) having fourth memory means for storing the challenging data (18), fifth memory 
means (105) for storing the response (1 9) and the verification means (1 06), wherein 
the verification device (10) transfers the challenging data (18) stored in the fourth memory means to the first 
memory means (1 1 1 ) of the proving device (1 1 ), the proving device (11 ) transfers the response (1 9) generated 
by the response generation means (116) to the fifth memory means (105) of the verification device (10), and 
the verification means (1 06) of the verification device (10) verifies the legitimacy of the response stored in the 
fifth memory means (1 05). 

15. The device for authenticating user's access rights to resources of claim 14, wherein 

the unique security characteristic information (14) of the device is an encryption key of a cipher function, 
the verification device (10) comprises random number generation means (102) for generating a random 
number and for storing it in the fourth memory means, and 

the verification means (1 06) verifies the legitimacy of the response by verifying that the response stored in the 
fifth memory means (105) is identical with encryption of the challenging data stored in the fourth memory, 
means (103) with the encryption key. 

16. The device for authenticating user's access rights to resources of claim 14, wherein 

the unique security characteristic information (14) of the device is a decryption key of a cipher function, 
the verification device (10) comprises random number generation means (102) for generating a random 
number, sixth memory means ( 1 03) for storing the generated random number and seventh memory means 
(122) for storing a seed for challenging data, and wherein 

the random number generation means (102) stores the generated random number in the sixth memory means 
(103) while randomizing the seed for the challenging data stored in the seventh memory means (122) by 
executing predefined calculations to the random number stored in the sixth memory means (103) and the seed 
stored in the seventh memory means (122) and then storing the randomized seed as challenging data in the 
fourth memory means, and 

the verification means (106) of the verification device (10) de-randomizes the response stored in the fifth 
memory means (105) by executing predefined calculations to the random number stored in the sixth memory 
means (1 03) and the response stored in the fifth memory means (1 05), and then verifies the legitimacy of the 
de-randomized response by verifying that the de-randomized result is identical with decryption of the seed 
stored in the seventh memory means (122) with the decryption key which is the unique security characteristic 
information (14) of the device. 

17. The device for authenticating user's access rights to resources of claim 1 4, wherein 



23 



EP 0 792 044 B1 



the unique security characteristic information (14) of the device is the signature key of a digital signature 
function, and 

the verification device (10) comprises random number generation means (102) for generating a random 
number and storing the generated random number as challenging data in the fourth memory means, and 
wherein 

the verification means (1 06) of the verification device (1 0) verifies the legitimacy of the response by verifying 
that the response stored in the fifth memory means (1 05) is identical with the digital signature for the challenging 
data stored in the fourth memory means, which is calculated with the signature key which is the unique security 
characteristic information (14) of the device. 

18. The device for authenticating user's access rights to resources of claim 1 5, wherein 

the unique security characteristic information (14) of the device is the private key D of an RSA public key pair 
with a modulus n, and 

the verification means (106) verifies the legitimacy of the response by verifying that the E-th power of the 
response R stored In the fifth memory means (1 05), where E denotes the public key associated with the private 
key D, is congruent with the challenging data C stored in the fourth memory means modulo n, i.e. mod n 
- C mod n. 

19. The device for authenticating user's access rights to resources of claim 16, wherein 

the unique security characteristic information (14) of the device is the private key D of an RSA public key pair 
with a modulus n, 

a seed C for challenging data stored in the seventh memory means (1 22) is an RSA-encryption of data K with 
the public key E of the RSA public key pair, i.e. DE mod (t)(n) = 1, C = mod n, 

a random number r generated by the random number generation means (102) is stored in the sixth memory 
means (103), 

challenging data C generated and stored in the fourth memory means satisfies the relation C = r^C mod n, and 
the verification means (106) verifies the legitimacy of the response R stored in the fifth memory means (105) 
by verifying that the quotient of R divided by r modulo n Is congruent with the data K modulo n, i.e. K mod n 
=:riRmodn. 

20. The device for authenticating user's access rights to resources of claim 18 or 19, wherein 

a proof support information t (1 3) stored in the third memory means (113) satisfies the relation t = D - e + w cj) 
(n), where e denotes user unique identifying information (16) stored in the second memory means (115), w 
denotes a conflict-free random number determined dependent upon both n and e and ^{n) denotes the Euler 
number of n, and 

the response generated by response generation means (116) is Identical with the D-th power of challenging 
data C stored in the first memory means (111) modulo n, i.e. R = mod n. 

21 . The device for authenticating user's access rights to resources of claim 20, wherein 

the response generation means (116) further comprises: 

third calculation means (112) for calculating the t-th power of challenging data C stored in the first memory 
means (111) modulo n, i.e. C* mod n, where t denotes proof support information (13) stored in the third memory 
means (113); 

fourth calculation means (114) for calculating the e-th power of the challenging data C modulo n, i.e. C® mod 
n, where e denotes user unique identifying information (16) stored in the second memory means (115); and 
fifth calculation means (116) for calculating a response R by multiplying the result calculated by the third cal- 
culation means (112) by the result calculated by the fourth calculation means (114) modulo n, i.e. R = C*C® 
mod n. 

22. The device for authenticating user's access rights to resources of claim 21 , further comprising: 

protect means (160) for preventing any data inside from being observed or being tampered with from the 
outside, confining the second memory means (115) and the fourth calculation means (114). 

23. The device for authenticating user's access rights to resources of claim 1 8 or 1 9, wherein 
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proof support information t (13) stored in the third memory means (113) satisfies the relation t = D + F{n, e), 
where e denotes user unique identifying information (16) stored in the second memory means (115), and F(x, 
y) denotes a two-variable collision-free function, and 

a response generated by the response generation means (1 1 6) is identical with the D-th power of challenging 
data C stored in the first memory means (111) modulo n, i.e. R = mod n. 

24. The device for authenticating user's access rights to resources of claim 23, wherein 

the response generation means (116) further comprises: 

third calculation means (112) for calculating the t-th power of challenging data C stored in the first memory 
means (111) modulo n, where t denotes the proof support information (13) stored in the third memory means 
(113), i.e. C* mod n; 

fourth calculation means (114) for calculating the F(n, e)-th power of the challenging data C modulo n, i.e. 
CF(n.e) mod n, where e denotes the user unique identifying information (16) stored in the second memory 
means (115) and F(x, y) denotes a two-variable collision-free function; and 

fifth calculation means (116) for calculating a response R by dividing the result calculated by the third calculation 
means (112) by the result calculated by the fourth calculation means (114) modulo n, i.e. R = C* C'"^*"-®) mod n. 

25. The device for authenticating user's access rights to resources of claim 24, further comprising: 

protect means (160) for preventing any data inside from being observed or being tampered with from the 
outside, confining the second memory means (115) and the fourth calculation means (114). 

26. The device for authenticating user's access rights to resources of claim 1 5, wherein 

the unique security characteristic information (14) of the device is a key D of a Pohlig-Hellman key pair of a 
modulus p, and 

the verification means (106) verifies the legitimacy of the response by verifying that the E-th power of the 
response R stored in the fifth memory means (105), where E denotes the counterpart key of the key D, i.e. 
DE mod (p-1 ) = 1 , is congruent with the challenging data C stored in the fourth memory means modulo p, i.e. 
R^ mod p = C mod p. 

27. The device for authenticating user's access rights to resources of claim 1 6, wherein 

the unique security characteristic information (14) of the device is a key D of a Pohlig-Hellman key pair of a 
modulus p, 

a seed C for challenging data stored in the seventh memory means (422) is Pohlig-Hellman-encryption of 
data K with the counterpart key E of the key D, i.e. DE mod (p-1) = 1 , C = mod p, 
a random number r generated by the random number generation means (402) is stored in the sixth memory 
means (403), 

challenging data C stored in the fourth memory means satisfies the relation C = r^C mod p, and 
the verification means (1 06) verifies the legitimacy of the response R stored in the fifth memory means (405) 
by verifying that the quotient of R divided by r modulo p is congruent with the data K modulo p, i.e. K mod p 
= riRmodp. 

28. The device for authenticating user's access rights to resources of claim 26 or 27, wherein 

proof support information t (13) stored in the third memory means (413) satisfies the relation t = D + F(p, e), 
where e denotes the user unique identifying information (16) stored in the second memory means (415), and 
F(x, y) denotes a two-variable collision-free function, and 

a response generated by the response generation means (41 6) is identical with the D-th power of challenging 
data C stored in the first memory means (411) modulo p, i.e. R = C"^ mod p. 

29. The device for authenticating user's access rights to resources of claim 28, wherein 

the response generation means (416) further comprises: 

third calculation means (41 2) for calculating the t-th power of challenging data C stored in the first memory 
means (411) modulo p, where t denotes the proof support information (13) stored in the third memory means 
(413), i.e. C» mod p; 
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fourth calculation means (414) for calculating the F(p, e)-th power of the challenging data C modulo p, i.e. 
C^iP^G) mod p, where e denotes the user unique identifying information (16) stored In the second memory 
means (415) and F(x, y) denotes a two-variable collision-free function; and 

fifth calculation means (416) for calculating a response R by dividing the result calculated by the third calcu- 
lation means (412) by the result calculated by the fourth calculation means (414) modulo p, i.e. R = C* C'^iP'^) 
mod p. 

30. The device for authenticating user's access rights to resources of claim 29, further comprising: 

protect means (160) for preventing any data inside from being observed or being tampered with from the 
outside, confining the second memory means (415) and the fourth calculation means (414). 

31 . The device for authenticating user's access rights to resources of claim 1 6, wherein 

the unique security characteristic information (14) of the device is the private key X of an EIGamal public key 
pair with a modulus p and a generator G, 

the public key Y corresponding to X is the X-th power of G modulo p, i.e. Y = G^ mod p. 

u denotes the z-th power of G modulo p (u = G^ mod p) for a random number z, 

K' denotes the product modulo p of the z-th power of Y modulo p and a data K, i.e. K' = Y^ K mod p, 

the seventh memory means (522) retains the pair of u and K', 

a random number r generated by the random number generation means (602) is stored in the sixth memory 
means (603), 

C denotes the product modulo p of K' and r, i.e. C = rK' mod p, 
the fourth memory means retains the pair C and u, and 

the verification means (106) verifies the legitimacy of the response R stored in the fifth memory means (505) 
by verifying that the quotient of R divided by r modulo p is congruent with K modulo p. i.e. K mod p = R mod p. 

32. The device for authenticating user's access rights to resources of claim 31 , wherein 

proof support information t (13) stored in the third memory means (513) satisfies the relation t = D + F(p, e), 
where e denotes the user unique identifying information (16) stored in the second memory means (515) and 
F(x, y) denotes a two-variable collision-free function, and 

a response R generated by the response generation means (516) is identical with the quotient of 0 divided 
by X-th power of u modulo p, i.e. R = u-^G mod p, where the pair C and u is the challenging data stored in the 
first memory means (511). 

33. The device for authenticating user's access rights to resources of claim 32, wherein 

the response generation means (516) further comprises: 

third calculation means (512) for calculating the t-th power of the component u of the challenging data pair 
stored in the first memory means (511 ) modulo p, where t denotes proof support information stored in-the third 
memory means (513), i.e. u* mod p; 

fourth calculation means (514) for calculating the F(p, e)-th power of u modulo p, i.e. u^iP'^) mod p, where e 
denotes the user unique identifying information (16) stored in the second memory means (515) and F(x, y) 
denotes a two-variable collision-free function; and 

fifth calculation means (51 6) for calculating a response R by dividing the product of the other component C of 
the challenging data pair and the result calculated by the fourth calculation means (514) by the result calculated 
by the third calculation means (512) modulo p, i.e. R = Cu'^tP-e) u-* mod p. 

34. The device for authenticating user's access rights to resources of claim 33, further comprising: 

protect means (160) for preventing any data inside from being observed or being tampered with from the 
outside, confining the second memory means (515) and the fourth calculation means (514). 

35. The device for authenticating user's access rights to resources of claim 1 7, wherein 

the unique security characteristic information (14) of the device is the signature key X of an EIGamal public 
key pair with a modulus p and a generator G, 

the public key Y corresponding to X is the X-th power of G modulo p, i.e. Y = G^ mod p, 
a response stored in the fifth memory means (605) is a pair of R and S, and 
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the verification means (606) verifies tfie legitimacy of the response R stored in the fifth memory means (605) 
by verifying that the C-th power of G for the challenging data C stored in the fourth memory means is congruent 
modulo p with the product of the R-th power of Y and the S-th power of R, i.e. mod p = Y^^RS mod p. 

5 36. The device for authenticating user's access rights to resources of claim 35, wherein 

proof support information t (13) stored in the third memory means (613) satisfies the relation t = D + F(p, e), 
where e denotes the user unique identifying information (16) stored in the second memory means (616), and 
F(x, y) denotes a two-variable collision-free function, and 
10 the response generation means (116) generates a response pair R and S by carrying out the following steps of: 

generating a random number k; 

calculating R as the k-th power of G modulo p, i.e. R = G"^ mod p; and 
calculating S according to the relation S = (0 - RX) k-^ mod (p-1). 

15 

37. The device for authenticating user's access rights to resources of claim 36, further comprising: 

protect means (160) for preventing any data inside from being observed or being tampered with from the 
outside, confining the second memory means (616) and the fourth calculation means (614). 

20 38. The device for authenticating user's access rights to resources of claim 4, wherein 

the user unique identifying information (16) stored in the second memory means (71 5) is a decryption key of 
a cipher function, 

the proof support information (13) stored in the third memory means (713) is an encryption of the unique 
25 security characteristic information of the device with the encryption key corresponding the decryption key. and 

the first calculation means (712) calculates the unique security characteristic information (14) of the device by 
decrypting the proof support information stored in the third memory means (71 3) with the decryption key stored 
in the second memory means (715). 

30 39. The device for authenticating user's access rights to resources of claim 38. wherein 

the cipher function is of the asymmetric key cryptography, and 

the user unique identifying information (16) is a component of the key pair of the cipher function. 
35 40. The device for authenticating user's access rights to resources of claim 39, wherein 
the cipher function is of the public key cryptography, and 

the user unique identifying information (16) is the private key of the public key pair of the cipher function. 
40 41. The device for authenticating user's access rights to resources of claim 38, wherein 
the cipher function Is of the symmetric key cryptography, and 

the user unique identifying information (16) is the common secret key of the cipher function. 

45 42. The device for authenticating user's access rights to resources of claim 8 or 1 6, wherein 
the verification device (10) further comprises: 

eighth memory means (310a) for storing a clear data encryption of which is the challenging data or the seed 
for challenging data stored in the first memory means (111); and 
50 comparison means (310b) for examining whether the clear data stored in the eighth memory means (310a) 

is identical with data inputted to the comparison means (310b). and wherein 

the verification means (106) feeds the response or the de-randomized value of the response stored in the fifth 
memory means (105) to the comparison means (310b), receives the answer from the comparison means 
(310b), and thereby the verification means (106) verifies the legitimacy of the response if and only if the re- 
55 ceived answer shows that the clear data stored in the eighth memory means (31 Oa) is identical with the data 

inputted to the comparison means (310b). 

43. The device for authenticating user's access rights to resources of claim 8 or 1 6, wherein 
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the verification device (10) further comprises: 

ninth memory means (31 Oa) for storing a value obtained by applying a one-way function to clear data encryption 
of which is the challenging data or the seed for challenging data stored in the seventh memory means (122); 
sixth calculation means (31 Oc) for outputting a value calculated by applying the one-way function to an inputted 
data; and 

comparison means (310b) for examining whether the value stored in the ninth memory means (310a) is iden- 
tical with data inputted to the comparison means (310b), and wherein 

the verification means (106) feeds the response or the de-randomized value of the response to the sixth cal- 
culation means (310c), receives a result from the sixth calculation means (310c), feeds the result to the com- 
parison means (31 Ob) and receives an answer from the comparison means (31 Ob), and thereby the verification 
means (106) verifies the legitimacy of the response if and only if the received answer shows that the result of 
the calculation by the sixth calculation means (310c) is identical with the data stored in the ninth memory 
means (310a). 

44. The device for authenticating user's access rights to resources of claim 8 oris, wherein 

the verification device (10) further comprises: 

program execution means (31 0) for executing code of a program encryption of which is the challenging data 
stored in the seventh memory means (122), and wherein 

the verification means (106) feeds the response stored in the fifth memory means (105) as program code to 
the program execution means (310), and 

the program execution means (310) correctly functions if and only if the response generation means (116) 
correctly decrypts the challenging data which is an encryption of the code of the program, that is, the encryption 
of the program is correctly decrypted. 

45. The device for authenticating user's access rights to resources of claim 8 or 1 6, wherein 

the verification device (10) further comprises: 

program execution means (310); 

program storing means (31 Og); and 

program decryption means (31 Oh), and wherein 

the program storing means (31 Og) stores code of a program a part or all of which is encrypted, 

an encryption of the decryption key for the partial or whole encrypted program code is the challenging data 

stored in the seventh memory means (122), 

the verification means (106) feeds the response to the program decryption means (31 Oh), 

the program decryption means (31 Oh) decrypts the program stored in the program storing means (31 Og) with 

the response as a decryption key, and 

the program execution means (310) correctly executes the decrypted program if and only if the response 
generation means (116) correctly decrypts the challenging data, that is, the decryption key for decrypting the 
encryption of the program is correctly decrypted. 

46. The device for authenticating user's access rights to resources of claim 14, wherein 

the proving device (11) and the verification device (10) are installed in a box material, and 
the verification device (10) transfers the challenging data (18) stored in the fourth memory means to the first 
memory means (111) of the proving device (11) and the proving device (11) transfers the response (19) gen- 
erated by the response generation means (1 1 6) to the fifth memory means (1 05) of the verification device (10) 
without using a communication network outside of the box material. 

47. A method for authenticating user's access rights to resources by verifying the legitimacy of a response generated 
from challenging data for proving the user's access rights, comprising: 

a step for storing the challenging data; 

a step for storing user unique identifying information; 

a step for storing proof support information which is a result of predetermined computations to the user unique 
identifying information and unique security characteristic information; 

a step for generating a response by executing predetermined computations to the challenging data, the user 
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unique identifying information and the proof support information; and 

a step for verifying the legitimacy of the response by verifying that the response, the challenging data and the 
unique security characteristic information satisfy a specific predefined relation. 

48. A computer program product for use with a computer, the computer program product comprising: 

a computer usable medium having computer readable program code means embodied in the medium for 
causing the computer to generate a response (19) from challenging data (18), the legitimacy of which is to be 
verified for authenticating user's access rights, the computer program product having: 

computer readable program code means for causing the computer to store the challenging data (18); 
computer readable program code means for causing the computer to store user unique identifying information 
(16); 

computer readable program code means for causing the computer to store proof support information (1 3) 
which is a result of predetermined computations to the user unique identifying information (16) and unique 
security characteristic information (14); and 

computer readable program code means for causing the computer to generate a response (19) by executing 
predetermined computations to the challenging data (18), the user unique identifying information (16) and the 
proof support information (13). 

49. The computer program product of claim 48, comprising: 

computer readable program code means for causing the computer to verify the legitimacy of the response 
(1 9) by verifying that the response (19), the challenging data (18) and the unique security characteristic information 
(14) satisfy a specific predefined relation. 

50. A program execution control device for authenticating user's access rights to resources by verifying the legitimacy 
of a response generated from challenging data for proving the user's access rights and controlling execution of a 
program based on the authentication of the user's access rights, comprising a device as defined in any one of 
claims 1 to 46 and 

continuation means for continuing execution of the program if the legitimacy of the response Is verified. 

51. An information processing, apparatus for authenticating user's access rights to specific information processing 
resources by verifying the legitimacy of a response (19) generated for proving the user's access rights and per- 
mitting access to the specific information processing resources, comprising a device as defined In any one of 
claims 1 to 46 and 

permission means for permitting access to the specific information processing resources if the legitimacy of 
the response is verified. 



Patentanspruche 

1. Vorrlchtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen, umfassend: 

eine erste Speicheranordnung (111) zum Speichern von Abfragedaten (18); 

eine zweite Speicheranordnung (115) zum Speichern einer eindeutigen Benutzerkennung (16); 

eine dritte Speicheranordnung (113) zum Speichern von Nachweisuntersttitzungsinformation (13), die ein Er- 

gebnis der Ausfuhrung vorbestimmter Berechnungen an der eindeutigen Benutzerkennung (16) und eindeu- 

tiger Sicherheitskenninformation (14) der Vorrlchtung ist; 

eine Antworterzeugungsanordnung (116) zum Erzeugen einer Antwort (19) aus den In der ersten Speicher- 
anordnung (111) gespeicherten Abfragedaten (18), der in der zweiten Speicheranordnung (115) gespeicherten 
eindeutigen Benutzerkennung (16) und der in der dritten Speicheranordnung (113) gespeicherten Nachweis- 
unterstutzungsinformation (13); und 

eine Verlfikatlonsanordnung (1 06) zum Verifizleren der RIchtigkeit der Antwort (19) durch Verifizieren, daG die 
Antwort (19), die Abfragedaten (18) und die eindeutige Sicherheitskenninformation (14) der Vorrlchtung eine 
spezlelle vordefinierte Relation erfullen. 

2. Vorrlchtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 1, ferner umfas- 
send: 

eine Schutzanordnung (160) zum Verhindern, daB irgendwelche Daten in ihr von au(3en einsehbar oder 
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manipulierbar sind, die zumindest die zweite Speicheranordnung (115) und die Antworterzeugungsanordnung 
(116) eInschlieBt. 

3. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 1, bei der 

5 zumindest die zweite Speicheranordnung (115) und die Antworterzeugungsanordnung (116) innerhalb einer 

kleinen tragbaren Vorrichtung wte einer Chipkarte implementiert sind. 

4. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach einem der Anspruche 1 bis 
3, bei der 

10 die Antworterzeugungsanordnung (1 1 6) umfaBt: 

eine erste Rechenanordnung (712) zum Wiedergeben der eindeutigen Sicherheitskenninformation (14) der 
Vorrichtung durch Ausfuhren vorbestimmter Berechnungen an der in der zweiten Speicheranordnung (115) 
gespeicherten eindeutigen Benutzerkennung (1 6) und der in der dritten Speicheranordnung (113) gespeicher- 
15 ten Nachweisunterstutzungsinformation (13); und 

eine zweite Rechenanordnung (714) zum Erzeugen einer Antwort dui-ch Ausfuhren vorbestimmter Berech- 
nungen an den in der ersten Speicheranordnung (111) gespeicherten Abfragedaten (18) und der von der 
ersten Rechenanordnung (712) wiedergegebenen eindeutigen Sicherheitskenninformation (14) der Vorrich- 
tung. 

20 

5. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach einem der Anspruche 1 bis 
3, bei der 

die Antworterzeugungsanordnung (116) umfaBt: 

25 eine dritte Rechenanordnung (112) zum Erzeugen einer ersten Zwischeninformation durch Ausfuhren vorbe- 

stimmter Berechnungen an den in der ersten Speicheranordnung gespeicherten Abfragedaten und der in der 
dritten Speicheranordnung gespeicherten Nachweisunterstutzungsinformation; 

eine vierte Rechenanordnung (114) zum Erzeugen einer zweiten Zwischeninformation durch Ausfuhren vor- 
bestimmter Berechnungen an den in der ersten Speicheranordnung (111) gespeicherten Abfragedaten (18) 
30 und der in der zweiten Speicheranordnung (115) gespeicherten eindeutigen Benutzerkennung (16); und 

eine funfte Rechenanordnung (1 1 6) zum Erzeugen einer Antwort durch Ausfuhren vorbestimmter Berechnun- 
gen an der durch die dritte Rechenanordnung (112) erzeugten ersten Zwischeninformation und der durch die 
vierte Rechenanordnung (114) erzeugten zweiten Zwischeninformation. 

35 6. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 5, des weiteren 
umfassend: 

eine Schutzanordnung (160) zum Verhindern, daB irgendwelche Daten in ihr von auBen einsehbar Oder 
manipulierbar sind, die zumindest die zweite Speicheranordnung (115) und die vierte Rechenanordnung (114) 
einschlieBt. 

40 

7. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 5, bei der 

zumindest die zweite Speicheranordnung (115) und die vierte Rechenanordnung (114) innerhalb einer trag- 
baren Vorrichtung wie einer Chipkarte implementiert sind. 

45 8. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach einem der Anspruche 1 bis 
7, bei der 

die eindeutige Sicherheitskenninformation (14) der Vorrichtung ein Entschlusselungsschlussel einer Ver- 
schlusselungsfunktion ist, 

50 die Abfragedaten (1 8) eine Verschliisselung von Information unter Verwendung der Verschlusselungsfunktion 

mit dem Verschlusselungsschlussel entsprechend dem Entschlusselungsschlussel sind und 
die Verifikationsanordnung (106) die Richtigkeit der Antwort verifiziert, indem verifiziert wird, daB die von der 
Antworterzeugungsanordnung (116) erzeugte Antwort (19) identisch mit der Entschlusselung der Abfrageda- 
ten mit dem Entschlusselungsschlussel ist. 

55 

9. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach einem der Anspruche 1 bis 
7, bei der 
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die eindeutige Sicherheitskenninformation (14) der Vorrichtung ein Verschliisselungsschiussel einer Ver- 
schlusselungsfunktion ist und 

die Verifikationsanordnung (106) die Richtigkelt der Antwort verifiziert, indem verifiziert wird, daB die von der 
Antworterzeugungsanordnung (116) erzeugte Antwort (19) identisch mtt der Verschlusselung der Abfrageda- 
ten mit dem Verschlusselungsschlussel ist. 

10. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach einem der Anspruche 1 bis 
7, bei der 

die Kenninformation (14) der Vorrichtung der Signaturschlussel einer digitalen Signaturfunktion ist und 
die Verifikationsanordnung (106) die Richtigkeit der Antwort verifiziert, indem verifiziert wird, da3 die von der 
Antworterzeugungsanordnung (116) erzeugte Antwort (19) identisch mit der digitalen Signatur fiir die Abfra- 
gedaten ist, die mit dem Signaturschlussel berechnet wird. 

11. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 8 oder 9, bei der 

die Verschlusselungsfunktion aus der Kryptographie mit asymmetrischem Schlussel stammt und 
die eindeutige Sicherheitskenninformation (14) der Vorrichtung eine Komponente des Schlusselpaars der Ver- 
schlusselungsfunktion ist. 

12. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 11 , bei der 

die Verschlusselungsfunktion aus der Kryptographie mit offentlichem Schlussel stammt und 
die eindeutige Sicherheitskenninformation (14) der Vorrichtung der private Schlussel des Paars mit offentli- 
chem Schlussel der Verschlusselungsfunktion ist. 

13. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 8 Oder 9, bei der 

die Verschlusselungsfunktion aus der Kryptographie mit symmetrischem Schlussel stammt und 
die eindeutige Sicherheitskenninformation (14) der Vorrichtung der gemeinsame Schlussel der Verschlusse- 
lungsfunktion ist. 

14. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach einem der Anspruche 1 bis 
13, ferner umfassend: 

eine Nachweisvorrichtung (11), welche die erste Speicheranordnung (111), die zweite Speicheranordnung 
(115), die dritte Speicheranordnung (113) und die Antworterzeugungsanordnung (116) enthalt; und 
eine Verifikationsvorrichtung (10), welche eine vierte Speicheranordnung zum Speichern der Abfragedaten 
(18), eine funfte Speicheranordnung (105) zum Speichern der Antwort (19) und die Verifikationsanordnung 
(106) enthalt, wobei 

die Verifikationsvorrichtung (10) die in der vierten Speicheranordnung gespeicherten Abfragedaten (18) an 
die erste Speicheranordnung (111) der Nachweisvorrichtung (11) ubertragt, die Nachweisvorrichtung (11) die 
von der Antworterzeugungsanordnung (116) erzeugte Antwort (19) an die funfte Speicheranordnung (105) 
der Verifikationsvorrichtung (10) ubertragt und die Verifikationsanordnung (106) der Verifikationsvorrichtung 
(10) die Richtigkeit der in der funften Speicheranordnung (105)'gespeicherten Antwort verifiziert. 

15. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 14, bei der 

die eindeutige Sicherheitskenninformation (14) der Vorrichtung ein Verschlusselungsschlussel einer Ver- 
schlusselungsfunktion ist, 

die Verifikationsvorrichtung (1 0) eine Zufallszahlerzeugungsanordnung (1 02) zum Erzeugen einer Zufallszahl 
und zu deren Speicherung in der vierten Speicheranordnung umfaBt und 

die Verifikationsanordnung (106) die Richtigkeit der Antwort verifiziert, indem verifiziert wird, da3 die in der 
funften Speicheranordnung (105) gespeicherte Antwort identisch mit der Verschlusselung der in der vierten 
Speicheranordnung (103) gespeicherten Abfragedaten mit dem Verschlusselungsschlussel ist. 

16. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 14, bei der 
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die eindeutige Sicherheitskenninformation (14) der Vorrichtung ein Entschlusselungsschlussel einer Ver- 
schlusselungsfunktion ist, 

die Verifikationsvorrichtung (10) eine Zufallszahlerzeugungsanordnung (102) zum Erzeugen einer Zufallszahl, 
eine sechste Speicheranordnung (103) zum Speichern der erzeugten Zufallszahl und eine siebte Speicher- 

5 anordnung (122) zum Speichern eines Startparameters fur Abfragedaten umfaBt, und bei der 

die Zufallszahlerzeugungsanordnung (1 02) die erzeugte Zufallszahl in der sechsten Speicheranordnung (1 03) 
speichert, wahrend der in der siebten Speicheranordnung (1 22) gespeicherte Startparameter fur die Abfrage- 
daten durch Ausfuhren vordefinierter Berechnungen an der in der sechsten Speicheranordnung (103) gespei- 
cherten Zufallszahl und dem in der siebten Speicheranordnung (122) gespeicherten Startparamter randomi- 

10 siert wird und dann der randomisierte Startparameter als Abfragedaten in der vierten Speicheranordnung 

gespeichert wird, und 

die Verifikationsanordnung (106) der Verifikationsvorrichtung (10) die in derfunften Speicheranordnung (105) 
gespeicherte Antwort durch Ausfuhren vorbestimmter Berechnungen an der in der sechsten Speicheranord- 
nung (103) gespeicherten Zufallszahl und der in derfunften Speicheranordnung (105) gespeicherten Antwort 
15 de-randomisiert und dann die Richtigkeit der de-randomlsierten Antwort verifiziert, indem verifiziert wird, daB 

das de-randomisierte Ergebnis identisch mit der Entschlusselung des in der siebten Speicheranordnung (1 22) 
gespeicherten Startparameters mit dem Entschlusselungsschlussel Ist, der die eindeutige Sicherheitskennin- 
formation (14) der Vorrichtung ist. 

20 17. Vorrichtung zum Authentlfizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 14, be! der 

die eindeutige Sicherheitskenninformation (14) - der Vorrichtung der Signaturschlussel einer digitalen Signa- 
turfunktlon ist und 

die Verifikationsvorrichtung (10) eine Zufallszahlerzeugungsanordnung (102) zum Erzeugen einer Zufallszahl 
25 und zum Speichern der erzeugten Zufallszahl als Abfragedaten in der vierten Speicheranordnung umfaBt, und 

bei der 

die Verifikationsanordnung (106) der Verifikationsvorrichtung (10) die Richtigkeit der Antwort verifiziert, indem 
verifiziert wird, daB die in der funften Speicheranordnung (1 05) gespeicherte Antwort identisch mit der digitalen 
Signatur fur die in der vierten Speicheranordnung gespeicherten Abfragedaten ist, die mit dem Signaturschlus- 
30 sel berechnet wird, der die eindeutige Sicherheitskenninformation (14) der Vorrichtung ist. 

18. Vorrichtung zum Authentlfizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 15, bei der 

die eindeutige Sicherheitskenninformation (14) der Vorrichtung der private Schlussel D eines RSA-Paars mit 
35 offentlichem Schlussel mit einem Modul n Ist und 

die Verifikationsanordnung (1 06) die Richtigkeit der Antwort verifiziert, Indem verifiziert wird, daB die E-te 
Potenz der in der funften Speicheranordnung (105) gespeicherten Antwort R, wobel E den dem privaten 
Schlussel D zugeordneten offentlichen Schlussel bezelchnet, kongruent mit den in der vierten Speicheran- 
ordnung gespeicherten Abfragedaten C modulo n Ist, d.h. R^ mod n = C mod n. 

40 

19. Vorrichtung zum Authentlfizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 16, bei der 

die eindeutige Sicherheitskenninformation (14) der Vorrichtung der private Schlussel D eines RSA-Paars mit 
offentlichem Schlussel mit einem Modul n ist, 
45 ein Startparameter C fur in der siebten Speicheranordnung (122) gespeicherte Abfragedaten eine RSA-Ver- 

schlusselung von Daten K mit dem offentlichen Schlussel E des RSA-Paars mit offentlichem Schlussel ist, d. 
h. DE mod (t)(n) = 1 , C = mod n, 

eine von der Zufallszahlerzeugungsanordnung (102) erzeugte Zufallszahl r in der sechsten Speicheranord- 
nung (103) gespeichert ist, 

50 erzeugte und in der vierten Speicheranordnung gespeicherte Abfragedaten C die Relation C = r^C mod n 

erfullen, und 

die Verifikationsanordnung (106) die Richtigkeit der In der funften Speicheranordnung (105) gespeicherten 
Antwort R verifiziert, Indem verifiziert wird, daB der Quotient R divldlert durch r modulo n kongruent mit den 
Daten K modulo n ist, d.h. K mod n = r^R mod n. 

55 

20. Vorrichtung zum Authentlfizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 1 8 Oder 1 9, bei der 

In der dritten Speicheranordnung (113) gespeicherte Nachweisunterstutzungslnformatlon t (13) die Relation 
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t = D - e + w (t)(n) erfullt, wobei e eine in der zweiten Speicheranordnung (115) gespeicherte eindeutige Be- 
nutzerkennung (16) bezeichnet, w eine konfliktfreie Zufallszahl ist, die abhangig sowohl von n als auch e 
ermittelt wird, und ^{r\) die Euler-Zahl von n bezeichnet, und 

die von der Antworterzeugungsanordnung (116) erzeugte Antwort identisch mit der D-ten Potenz von in der 
5 ersten Speicheranordnung (111) gespeicherten Abfragedaten C modulo n ist. d.h., R = mod n. 

21. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 20, bei der 
die Antworterzeugungsanordnung (116) des weiteren umfaBt: 

10 eine dritte Rechenanordnung (112) zum Berechnen der t-ten Potenz von in der ersten Speicheranordnung 

(111) gespeicherten Abfragedaten C modulo n, d.h. O mod n, wobei t in der dritten Speicheranordnung (113) 
gespeicherte Nachweisunterstutzungsinformation (13) bezeichnet; 

eine vierte Rechenanordnung (114) zum Berechnen der e-ten Potenz der Abfragedaten C modulo n, d.h. C® 
mod n, wobei e eine in der zweiten Speicheranordnung (115) gespeicherte eindeutige Benutzerkennung (16) 
15 bezeichnet; und 

eine funfte Rechenanordnung (116) zum Berechnen einer Antwort R durch Multiplikation des von der dritten 
Rechenanordnung (112) berechneten Ergebnisses mit dem von der vierten Rechenanordnung (114) berech- 
neten Ergebnis modulo n, d.h. R = OC^ mod n. 

20 22. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 21, ferner umfas- 
send: 

eine Schutzanordnung (160) zum Verhindern, daB irgendwelche Daten in ihr von auBen einsehbar oder 
manipulierbar sind, welche die zweite Speicheranordnung (1 1 5) und die vierte Rechenanordnung (114) einschlieBt. 

25 23. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 1 8 Oder 1 9, bei der 

in der dritten Speicheranordnung (113) gespeicherte Nachweisunterstutzungsinformation t (13) die Relation 
t = D + F(n, e) erfullt, wobei e eine in der zweiten Speicheranordnung (115) gespeicherte eindeutige Benut- 
zerkennung (16) bezeichnet und F(x, y) eine kollisionsfreie Funktion mit zwei Variablen bezeichnet, und 
30 eine von der Antworterzeugungsanordnung (116) erzeugte Antwort identisch mit der D-ten Potenz von in der 

ersten Speicheranordnung (111) gespeicherten Abfragedaten C modulo n ist, d.h. R = mod n. 

24. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 23, bei der 
die Antworterzeugungsanordnung (116) des weiteren umfaBt: 

35 

eine dritte Rechenanordnung (112) zum Berechnen der t-ten Potenz von in der ersten Speicheranordnung 
(111) gespeicherten Abfragedaten C modulo n, wobei t die in der dritten Speicheranordnung (113) gespeicherte 
Nachweisunterstutzungsinformation (13) bezeichnet, d.h. O mod n; 

eine vierte Rechenanordnung (114) zum Berechnen der F(n, e)-ten Potenz der Abfragedaten C modulo n, d. 
^0 h. C^t"' ®) mod n, wobei e die in der zweiten Speicheranordnung (115) 

eine funfte Rechenanordnung (116) zum Berechnen einer Antwort R durch Dividieren des von der dritten 
Rechenanordnung (112) berechneten Ergebnisses durch das von der vierten Rechenanordnung (114) berech- 
nete Ergebnis modulo n, d.h. R = DC-"^*"- mod n. 

45 25. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 24, ferner umfas- 
send: 

eine Schutzanordnung (160) zum Verhindern, daB irgendwelche Daten in ihr von auBen einsehbar Oder 
manipulierbar sind, welche die zweite Speicheranordnung (115) und die vierte Rechenanordnung (114) einschlieBt. 

50 26. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 1 5, bei der 

die eindeutige Sicherheitskenninformation (14) der Vorrichtung ein Schlussei D eines Pohlig-Hellman-Schlus- 
selpaars mit einem Modul p ist und 

die Verifikationsanordnung (106) die Richtigkeit der Antwort verifiziert, indem verifiziert wird, daB die E-te 
55 Potenz der in der funften Speicheranordnung (1 05) gespeicherten Antwort R, wobei E den Gegenschlussel 

des Schlussels D bezeichnet, d.h. DE mod (p-1) = 1, kongruent mit den in der vierten Speicheranordnung 
gespeicherten Abfragedaten modulo p ist, d.h. R^ mod p = C mod p. 
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27. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 16, bei der 

die eindeutige Sicherheitskenn information (14) der Vorrichtung ein Schlussel D eines Pohlig-Hellman-Schlus- 
selpaars mit einem Modul p ist. 
5 ein in der siebten Speicheranordnung (422) gespeicherter Startparameter G' fur Abfragedaten eine Pohlig- 

Hellman-Verschlusselung von Daten K mit dem Gegenschlussel E des Schlussels D ist, d.h. DE mod (p-l) = 
1 , C = KE mod p, 

eine von der Zufallszahlerzeugungsanordnung (402) erzeugte Zufallszahl r in der sechsten Speicheranord- 
nung (403) gespeichert ist, 

10 in der vierten Speicheranordnung gespeicherte Abfragedaten C die Relation C = r^C mod p erfullen, und 

die Verifikationsanordnung (106) die Richtigkeit der in der funften Speicheranordnung (405) gespeicherten 
Antwort R verifiziert, indem verifiziert wird, daB der Quotient R dividiert durch r modulo p kongruent mit den 
Daten K modulo p ist, d.h. K mod p = r"'R mod p. 

15 28. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 26 Oder 27, bei der 

in der dritten Speicheranordnung (413) gespeicherte Nachweisunterstutzungsinformation t (13) die Relation 
t = D + F(p, e) erfullt, wobei e die in der zweiten Speicheranordnung (415) gespeicherte eindeutige Benutzer- 
kennung (16) bezeichnet und F(x, y) eine kollisionsfreie Funktion mit zwei Variablen bezeichnet, und 
20 eine von der Antworterzeugungsanordnung (41 6) erzeugte Antwort identisch mit der D-ten Potenz von in der 

ersten Speicheranordnung (411) gespeicherten Abfragedaten C modulo p ist, d.h. R = C° mod p. 

29. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 28, bei der 

die Antworterzeugungsanordnung (41 6) des weiteren umfaBt: 

25 

eine dritte Rechenanordnung (412) zum Berechnen der t-ten Potenz von in der ersten Speicheranordnung 
(411) gespeicherten Abfragedaten C modulo p, wobei t die in der dritten Speicheranordnung (413) gespei- 
cherte Nachweisunterstutzungsinformation (13) bezeichnet, d.h. 
C* mod p; 

30 eine vierte Rechenanordnung (414) zum Berechnen der F(p, e)-ten Potenz der Abfragedaten C modulo p, d. 

h. C^iP'^) mod p, wobei e die in der zweiten Speicheranordnung (415) gespeicherte eindeutige Benutzerken- 
nung (16) bezeichnet und F(x, y) eine kollisionsfreie Funktion.mit zwei Variablen bezeichnet; und 
eine funfte Rechenanordnung (416) zum Berechnen einer Antwort R durch Dividieren des von der dritten 
Rechenanordnung (412) berechneten Ergebnisses durch das von der vierten Rechenanordnung (414) be- 

35 rechnete Ergebnis modulo p, d.h. R = C* C-^^tP' e) mod p. 

30. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 29, ferner umfas- 
send: 

eine Schutzanordnung (1 60) zum Verhindern, daB irgendwelche Daten in ihr von auBerhalb einsehbar Oder 
40 manipulierbar sind, welche die zweite Speicheranordnung (415) und die vierte Rechenanordnung (414) ein- 

schlieBt. 

31. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 16, bei der 

45 die eindeutige Sicherheitskenninformation (1 4) der Vorrichtung der private Schlussel X eines EIGamal-Paars 

mit offentlichem Schlussel mit einem Modul p und einem Generator G ist, 

der X entsprechende offentliche Schlussel Y die X-te Potenz von G modulo p ist, d.h. Y = G^ mod p, 
u die z-te Potenz von G modulo p (u = G^ mod p) fur eine Zufallszahl z bezeichnet, 
K' das Produkt modulo p der z-ten Potenz von Y modulo p und einem Datenwert K bezeichnet, d.h. K' = Y^ K 
50 mod p, 

die siebte Speicheranordnung (522) das Paar aus u und K' halt, 

eine von der Zufallserzeugungsanordnung (602) erzeugte Zufallszahl r in der sechsten Speicheranordnung 
(603) gespeichert ist, 

C das Produkt modulo p von K' und r bezeichnet, d.h. C = rK' mod p, 
55 die vierte Speicheranordnung das Paar C und u halt, und 

die Verifikationsanordnung (106) die Richtigkeit der in der funften Speicheranordnung (505) gespeicherten 
Antwort R verifiziert, indem verifiziert wird, daB der Quotient R dividiert durch r modulo p kongruent mit K 
modulo p ist, d.h. K mod p = MR mod p. 
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32. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 31 , bei der 

in der dritten Speicheranordnung (513) gespeicherte Nachweisunterstutzungsinformation t (13) die Relation 
t = D + F(p, e) erfiillt, wobei e die in der zweiten Speicheranordnung (515) gespeicherte eindeutige Benutzer- 
kennung (16) bezeichnet und F(x, y) eine kollisionsfreie Funktion mit zwei Variablen bezeichnet, und 
eine von der Antworterzeugungsanordnung (51 6) erzeugte Antwort R identisch mit dem Quotienten C dividiert 
durch die X-te Potenz von u modulo p ist, d.h. R = u-^C mod p, wobei das Paar C und u die in der ersten 
Speicheranordnung (511) gespeicherten Abfragedaten sind. 

33. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 32, bei der 

die Antworterzeugungsanordnung (516) des weiteren umfaBt: 

eine dritte Rechenanordnung (512) zum Berechnen der t-ten Potenz der Komponente u des in der ersten 
Speicheranordnung (511) gespeicherten Abfragedatenpaars modulo p, wobei t eine in der dritten Speicher- 
anordnung (513) gespeicherte Nachweisunterstutzungsinformation bezeichnet, d.h. u* mod p; 
eine vierte Rechenanordnung (514) zum Berechnen der F(p, e)-ten Potenz von u modulo p, d.h. u^^tP-®) mod 
p, wobei e die in der zweiten Speicheranordnung (515) gespeicherte eindeutige Benutzerkennung (16) be- 
zeichnet und F(x, y) eine kollisionsfreie Funktion mit zwei Variablen bezeichnet; und 
eine funfte Rechenanordnung (516) zum Berechnen einer Antwort R durch Dividieren des Produkts der an- 
deren Komponente C des Abfragedatenpaars mit dem von der vierten Rechenanordnung (514) berechneten 
Ergebnis durch das von der dritten Rechenanordnung (512) berechnete Ergebnis modulo p, d.h. R = Cu^iP*^) 
U-* mod p. 

34. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 33, ferner umfas- 
send: 

eine Schutzanordnung (160) zum Verhindern, da3 irgendwelche Daten in ihr von auBerhalb einsehbar Oder 
manipulierbar sind, welche die zweite Speicheranordnung (515) und die vierte Rechenanordnung (514) ein- 
schlieBt. 

35. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 17, bei der 

die eindeutige Sicherheitskenninformation (14) der Vorrichtung der Signaturschlussel X eines EIGamal-Paars 

mit offentlichem Schlussel mit einem Modul p und einem Generator G ist, . 

der X entsprechende offentliche Schlussel Y die X-te Potenz von G modulo p ist, d.h. Y = G^ mod p, 

eine In der funften Speicheranordnung (605) gespeicherte Antwort ein Paar aus R und S ist, und 

die Verifikationsanordnung (606) die Richtigkeit der in der funften Speicheranordnung (605) gespeicherten 

Antwort R verlfiziert, indem verifiziert wlrd, daB die C-te Potenz von G fur die in der vierten Speicheranordnung 

gespeicherten Abfragedaten C kongruent modulo p mit dem Produkt der R-ten Potenz von Y und der S-ten 

Potenz von R ist, d.h. G^.mod p = Y^H^ mod p. 

36. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 35, bei der 

in der dritten Speicheranordnung (613) gespeicherte Nachweisunterstutzungsinformation t (13) die Relation 
t = D + F(p, e) erfullt, wobei e die in der zweiten Speicheranordnung (616) gespeicherte eindeutige Benutzer- 
kennung (16) bezeichnet und F(x, y) eine kollisionsfreie Funktion mit zwei Variablen bezeichnet, und 
die Antworterzeugungsanordnung (116) ein Antwortpaar R und S durch Ausfuhren der folgenden Schritte 
erzeugt: 

Erzeugen einer Zufallszahl k; 

Berechnen von R als k-te Potenz von G modulo p, d.h. R = G"* mod p; und 
Berechnen von S nach MaBgabe der Relation S = (C - RX) mod (p-1 ). 

37. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 36, ferner umfas- 
send: 

eine Schutzanordnung (160) zum Verhindern, daB irgendwelche Daten in ihr von auBen einsehbar oder 
manipulierbar sind, welche die zweite Speicheranordnung (616) und die vierte Rechenanordnung (614) ein- 
schlieBt. 
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38. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 4, bei der 

die in derzweiten Speicheranordnung (715) gespeicherte eindeutige Benutzerkennung (16) ein Entschlusse- 
lungsschlussel einer Verschlusselungsfunl<tion ist, 

die in der dritten Speicheranordnung (713) gespeicherte Nachweisunterstutzungsinformation (13) eine Ver- 
schlusselungdereindeutigen Sicherheitskenninformation der Vorrichtung mitdemVerschlusselungsschlussel 
entsprechend dem Entschlusselungsschlussel ist, und 

die erste Rechenanordnung (712) die eindeutige Sicherheitskenninformation (14) der Vorrichtung durch Ent- 
schlusseln der in der dritten Speicheranordnung (713) gespeicherten Nachweisunterstutzungsinformation mit 
dem in der zweiten Speicheranordnung (715) gespeicherten Entschlusselungsschlussel berechnet. 

39. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 38, bei der 

die Verschlusselungsfunktion aus der Kryptographie mit asymmetrischem Schlussel stammt und 

die eindeutige Benutzerkennung (1 6) eine Komponente des Schlusselpaars der Verschlusselungsfunktion ist. 

40. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 39, bei der 

die Verschlusselungsfunktion aus der Kryptographie mit offentlichem Schlussel stammt und 
die eindeutige Benutzerkennung (16) der private Schlussel des Paars mit offentlichem Schlussel der Ver- 
schlusselungsfunktion ist. 

41. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 38, bei der 

die Verschlusselungsfunktion aus der Kryptographie mit symmetrischem Schlussel stammt und 

die eindeutige Benutzerkennung (16) der gemeinsame geheime Schlussel der Verschlusselungsfunktion ist. 

42. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 8 Oder 16, bei der 

die Verifikationsvorrichtung (10) des weiteren umfaBt: 

eine achte Speicheranordnung (31 Oa) zum Speichern von Klardaten, deren Verschlusselung die Abfragedaten 
Oder der Startparameter fur die in der ersten Speicheranordnung (111) gespeicherten Abfragedaten sind; und 
eine Vergletchsanordnung (310b) zur Uberpriifung, ob die in der achten Speicheranordnung (310a) gespei- 
cherten Klardaten identisch mit Daten sind. die in die Vergleichsanordnung (310b) eingegeben werden, und 
bei der 

die Verifikationsanordnung (1 06) die Antwort Oder den de-random Isierten Wert der in der funften Speicheran- 
ordnung (105) gespeicherten Antwort an die Vergleichsanordnurig (310b) liefert, die Ruckantwort von der 
Vergleichsanordnung (310b) empfangt und dadurch die Verifikationsanordnung (106) die Richtigkeit der Ant- 
wort dann und nur dann verifiziert, wenn die empfangene Ruckantwort zeigt, daB die in der achten Speicher- 
anordnung (310a) gespeicherten Klardaten identisch mit den in die Vergleichsanordnung (310b) eingegebe- 
nen Daten sind. 

43. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 8 Oder 16, bei der 

die Verifikationsvorrichtung (10) des weiteren umfaBt: 

eine neunte Speicheranordnung (310a) zum Speichern eines Werts, der durch Anwenden einer Einwegfunk- 
tion auf Klardaten erhalten wird, deren Verschlusselung die Abfragedaten Oder der Startparameter fur in der 
siebten Speicheranordnung (122) gespeicherte Abfragedaten sind; 

eine sechste Rechenanordnung (31 Oc) zum Ausgeben eines Werts, der durch Anwenden der Einwegfunktion 
auf einen eingegebenen Datenwert berechnet wird; und 
. eine Vergleichsanordnung (310b) zur Uberprufung, ob der in der neunten Speicheranordnung (31 Oa) gespei- 
cherte Wert identisch mit in die Vergleichsanordnung (31 Ob) eingegebenen Daten ist, und bei der 
die Verifikationsanordnung (106) die Antwort Oder den de-randomisierten Werl der Antwort an die sechste 
Rechenanordnung (310c) liefert, ein Ergebnis von der sechsten Rechenanordnung (310c) empfangt, das Er- 
gebnis an die Vergleichsanordnung (310b) liefert und eine Ruckantwort von der Vergleichsanordnung (310b) 
empfangt und die Vergleichsanordnung (1 06) dadurch die Richtigkeit der Antwort dann und nur dann verifiziert, 
wenn die empfangene Ruckantwort zelgt, daf3 das Ergebnis der Berechnung durch die sechste Rechenan- 
ordnung (310c) identisch mit den in der neunten Speicheranordnung (310a) gespeicherten Daten ist. 
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44. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 8 Oder 16, bei der 

die Verifikationsvorrichtung (1 0) des weiteren umfaBt: 

eine Programmausfuhmngsanordnung (310) zum Ausfuhren von Code eines Programms, dessen Verschlus- 
selung die in der siebten Speicheranordnung (122) gespeicherten Abfragedaten sind, und bei der 
die Verif ikationsanordnung (1 06) die in der funften Speicheranordnung (1 05) gespeicherte Antwort als Pro- 
grammcode an die Programmausfuhrungsanordnung (310) liefert, und 

die Programmausfuhrungsanordnung (310) dann und nurdann korrekt funktioniert, wenn die Antworterzeu- 
gungsanordnung (116) die Abfragedaten korrekt entschlusselt, die eine Verschlusselung des Codes des Pro- 
gramms sind, d.h., wenn die Verschlusselung des Programms korrekt entschlusselt wird. 

45. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 8 Oder 16, bei der 

die Verifikationsvorrichtung (10) des weiteren umfa3t: 

eine Programmausfuhrungsanordnung (31 0); 

eine Programmspeicheranordnung (31 Og); und 

eine Programmentschlusselungsanordnung (31 Oh), und bei der 

die Programmspeicheranordnung (31 Og) Code eines Programms speichert, das teilweise Oder vollstandig 
verschlusselt ist, 

eine Verschlusselung des Entschlusselungsschlussels fur den teilweise Oder vollstandig verschlusselten Pro- 
grammcode die in der siebten Speicheranordnung (122) gespeicherten Abfragedaten sind, 
die Verifikationsanordnung (106) die Antwort an die Programmentschlusseiungsanordnung (31 Oh) liefert, 
die Programmentschlusselungsanordnung (31 Oh) das in der Programmspeicheranordnung (31 Og) gespei- 
cherte Programm mit der Antwort als Entschlusselungsschlussel entschlusselt, und 
die Programmausfuhrungsanordnung (310) das entschlusselte Programm dann und nur dann korrekt ausfuhrt, 
wenn die Antworterzeugungsanordnung (116) die Abfragedaten korrekt entschlusselt, d.h., der Entschlusse- 
lungsschlussel zum Entschiussein der Verschlusselung des Programms korrekt entschlusselt ist. 

46. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 14, bei der 

die Nachweisvorrlchtung (11) und die Verifikationsvorrichtung (10) in einer gehauseartigen Anordnung instal- 
liert sind und 

die Verifikationsvorrichtung (10) die in der vierten Speicheranordnung gespeicherten Abfragedaten (18) an 
die erste Speicheranordnung (111) der Nachweisvorrlchtung (11) ubertragt und die Nachweisvorrichtung (11) 
die von der Antworterzeugungsanordnung (116) erzeugte Antwort (1 9) an die funfte Speicheranordnung (1 05) 
der Verifikationsvorrichtung (10) ohne Verwendung eines Kommunikationsnetzes auBerhalb der gehausear- 
tigen Anordnung ubertragt. 

47. Verfahren zum Authentifizieren von Benutzerzugriffsrechten auf Ressourcen durch Verif izieren der Richtigkeit ei- 
ner aus Abfragedaten erzeugten Antwort zum Nachweis der Benutzerzugriffsrechte, umfassend: 

einen Schritt zum Speichern der Abfragedaten; 

einen Schritt zum Speichern einer eindeutigen Benutzerkennung; 

eInen Schritt zum Speichern von Nachweisunterstutzungsinformation, dieein Ergebnis vorbestimmter Berech- 
nungen an der eindeutigen Benutzerkennung und eindeutiger Sicherheitskenninformation ist; 
einen Schritt zum Erzeugen einer Antwort durch Ausfuhren vorbestimmter Berechnungen an den Abfrageda- 
ten, der eindeutigen Benutzerkennung und der Nachweisunterstutzungsinformation; und 
einen Schritt zum Verifizieren der Richtigkeit der Antwort durch Verlfizieren, daB die Antwort, die Abfragedaten 
und die eindeutige Sicherheitskenninformation eine spezielle vordefinierte Relation erfullen. 

48. Computerprogrammprodukt zur Verwendung bei einem Computer, wobei das Computerprogrammprodukt umfaBt: 

ein von einem Computer verwendbares Medium, auf dem computerlesbare Programmcodemittel vorhanden 
sind, die dazu dienen, den Computer zu veranlassen, eine Antwort (1 9) aus Abfragedaten (1 8) zu erzeugen, deren 
Richtigkeit fur die Authentifzlerung von Benutzerzugriffsrechten zu verifizieren ist, wobei das Computerprogramm- 
produkt aufweist: 

computerlesbare Programmcodemittel, die dazu dienen, den Computer zu veranlassen, die Abfragedaten (1 8) 
zu speichern; 
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computerlesbare Programmcodennittel, die dazu dienen, den Computer zu veranlassen, eine eindeutige Be- 
nutzerkennung (16) zu speichern; 

computerlesbare Programmcodemittel, die dazu dienen, den Computer zu veranlassen, Nachweisunterstut- 
zungsinformation (13) zu speichern, die ein Ergebnis vorbestimmter Berechnungen an der eindeutigen Be- 
nutzerkennung (16) und eindeutiger Sicherheitskenninformation (14) ist; und 

computerlesbare Programmcodemittel, die dazu dienen, den Computer zu veranlassen, durch Ausfuhren vor- 
bestimmter Berechnungen an den Abfragedaten (18), der eindeutigen Benutzerkennung (16) und der Nach- 
welsunterstutzungsinformation (13) eine Antwort (19) zu erzeugen. 

49. Computerprogrammprodukt nach Anspruch 48, umfassend: 

computerlesbare Programmcodemittel, die dazu dienen, den Computer zu veranlassen, die Richtigkeit der 
Antwort (19) zu verifizieren, indem verifiziert wird, daB die Antwort (19), die Abfragedaten (18) und die eindeutige 
Sicherheitskenninformation (14) eine spezielle vordefinierte Relation erfullen. 

50. Programmausfuhrungssteuervorrichtung zum Authentifizieren von Ben utzerzug riff srechten auf Ressourcen durch 
Verifizieren der Richtigkeit einer aus Abfragedaten erzeugten Antwort zum Nachweis der Benutzerzugriffsrechte 
und zum Steuern der Ausfuhrung eines Programms auf der Basis der Authentifizierung der Benutzerzugriffsrechte, 
umfassend eine Vorrichtung gemaB einem der Anspruche 1 bis 46 und 

eine Fortfuhrungsanordnung zum Fortfuhren der Ausfuhrung des Programms, wenn die Richtigkeit der Ant- 
wort verifiziert ist. 

51. Informationsverarbeitungsgerat zum Authentifizieren von Benutzerzugriffsrechten auf spezielle Informationsver- 
arbeitungsressourcen durch Verifizieren der Richtigkeit einer Antwort (19), die erzeugt wird, um die Benutzerzu- 
griffsrechte nachzuweisen und den Zugriff auf die speziellen tnformationsverarbeitungsressourcen zu gewahren, 
umfassend eine Vorrichtung gemaB einem der Anspruche 1 bis 46 und 

eine Gewahrungsanordnung zum Gewahren des Zugriffs auf die speziellen Informationsverarbeitungsres- 
sourcen, wenn die Richtigkeit der Antwort verifiziert ist. 



Revendications 

1 . Dispositif pour authentifier des droits d'acc^s d'un utilisateur k des ressources comprenant : 

un premier moyen de m^moire (111) pour enregistrer des donn6es k verifier (18); 

un deuxi^me moyen de m6moire (115) pour enregistrer une information Individuelle d'identification de Tutili- 
sateur (16); 

un troisi^me moyen de m^moire (113) pour enregistrer une information d'assistance de controle (13) qui est 
un r^sultat de I'ex^cution de calculs pr6d6termin4s sur I'information individuelle d'identification de I'utilisateur 
(16) et une information de caract6ristique de s6curit6 individuelle (14) du dispositif; 
un moyen de g6n6ration de r6ponse (116) pour g6n6rer une r^ponse (19) k partir des donn6es k verifier (18) 
enregistr6es dans le premier moyen de m^moire (111 ), I'information d'identification individuelle de I'utilisateur 
(16) enregistr^e dans le deuxifeme moyen de m§moire (115), et Tinformation d'assistance de controle (13) 
enreglstr§e dans le troisi^me moyen de m6moire (113); et 

un moyen de verification (106) pour verifier la I6gitimit6 de la reponse (19) en v6rifiant que la r6ponse (19), 
les donn^es k verifier (1 8) et I'information de caract6ristique de s6curit6 individuelle (14) du dispositif satisfont 
une relation pr6d6finie sp6cifique. 

2. Dispositif pour authentifier des droits d'acc^s d'un utilisateur k des ressources selon la revendication 1 comprenant 
de plus : 

un moyen de protection (160) pour emp^cher que toute donn6e int^rieure soit observ6e ou trafiqu6e de 
Text^rieur, au moins en confinant le deuxi^me moyen de m6moire (115) et le moyen de generation de reponse 
(116). 

3. Dispositif pour authentifier des droits d'accfes d'un utilisateur k des ressources selon la revendication 1 , dans lequel 
au moins le deuxi^me moyen de m^moire (115) et le moyen de generation de reponse (116) sont mis en oeuvre 
dans un petit dispositif portatif tel qu'une carte intelligente. 

4. Dispositif pour authentifier des droits d'acces d'un utilisateur ci des ressources selon I'une quelconque des reven- 
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dications 1 ^ 3, dans lequel 

le moyen de g6n6ration de r6ponse (116) comprend : 

un premier moyen de calcul (71 2) pour ex6cuter k nouveau I'information de caract^ristique de s§curit§ indi- 
5 viduelle (14) du dispositif en effectuant des calculs pr6d6termin6s sur I'information individuelle d'identification 

de I'utilisateur (16) enregistr6e dans le deuxi§me moyen de m6moire (115) et I'information d'assistance de 
controle (13) enregistr^e dans le troisifeme moyen de m^moire (113); et 

un deuxi^me moyen de calcul (714) pour g6n6rer une r6ponse en effectuant des calculs pr6d6termin§s sur 
les donn^es k verifier (18) enregistr^es dans le premier moyen de m§moire (111) et i'information de caract6- 
10 ristique de s6curit6 individuelle (14) du dispositif ex6cut6e k nouveau par le premier moyen de calcul (712). 

5. Dispositif pour authentifier des droits d'acc^s d'un utilisateur k des ressources selon I'une quelconque des reven- 
dications 1 k 3. dans lequel 

le moyen de g§n6ration de r6ponse (116) comprend : 

15 

un troisi^me moyen de calcul (112) pour g6n§rer une premiere information interm^diaire en effectuant des 
calculs pr6d6termin§s sur les donn^es a verifier enregistr6es dans le premier moyen de m^moire et I'infor- 
mation d'assistance de controle enregistr^e dans le troisi^me moyen de m^moire; 

un quatri^me moyen de calcul (114) pour g6n6rer une deuxi^me information interm^diaire en effectuant des 
20 calculs pr6d6termin6s sur les donn^es k verifier (18) enregistr6es dans le premier moyen de m^moire (11.1) 

et I'information d'identification individuelle de I'utilisateur (1 6) enregistr^e dans le deuxi^me moyen de m^moire 
(115); et 

un cinqui^me moyen de calcul (116) pour g6n6rer une r6ponse en effectuant des calculs predetermines sur 
la premiere information interm^diaire g6n6r6e par le troisi^me moyen de calcul (112) et la deuxi^me informa- 
25 tion interm^diaire g6n6r6e par le quatrieme moyen de calcul (114). 

6. Dispositif pour authentifier des droits d'acc6s d'un utilisateur k des ressources selon la revendication 5, comprenant 
de plus : 

un moyen de protection (160) pour empecher toute donn^e int^rieur d'etre observ6e ou trafiqu6e de I'exte- 
30 rieur, au moins en confinant le deuxi^me moyen de m^moire (115) et le quatrieme moyen de calcul (114). 

7. Dispositif pour authentifier des droits d'acc^s d'un utilisateur k des ressources selon la revendication 5, dans lequel 

au moins le deuxi^me moyen de m6moire (115) et le quatrl6me moyen de calcul (114) sont mis en oeuvre 
dans un dispositif portatif tel qu'une carte intelligente. 

35 

8. Dispositif pour authentifier des droits d'acc^s d'un utilisateur k des ressources selon I'une quelconque des reven- 
dications 1 k 7, dans lequel 

rinformation de caracteristique de s6curit6 individuelle (14) du dispositif est une cle de d6chiffrement d'une 
40 fonction de chiffrement, 

les donn^es k verifier (18) sont un chiffrement d'information utilisant la fonction de chiffrement avec la cl6 de 
chiffrement correspondant k la cl6 de d6chiffrement, et 

le moyen de verification (106) v^rifie la legitimite de la r6ponse en verifiant que la r^ponse (19) g^ner^e par 
le moyen de generation de reponse (116) est identique au d6chiffrement des donnees k verifier avec la cie 
de dechiffrement. 

9. Dispositif pour authentifier des droits d'acces d'un utilisateur k des ressources selon I'une quelconque des reven- 
dicatlons 1 k 7, dans lequel 

50 rinformation de caracteristique de securite individuelle (1 4) du dispositif est une cie de chiffrement d'une fonc- 

tion de chiffrement, et 

le moyen de verification (106) verifie la legitimite de la reponse en verifiant que la reponse (19) generee par 
le moyen de generation de reponse (116) est identique au chiffrement des donnees k verifier avec la cie de 
chiffrement. 

55 

10. Dispositif pour authentifier des droits d'accfes d'un utilisateur k des ressources selon I'une quelconque des reven- 
dications 1 k 7, dans lequel 
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I'information caract6ristique (1 4) du dispositif est la cl6 de signature d'une fonction de signature num6rlque, et 
le moyen de verification (106) v^rifie la I6gitimit6 de ta r^ponse en v§riftant que la r^ponse (19) g6n6r6e par 
le moyen de generation de r^ponse (116) est identique k la signature numerique destin^e aux donn6es ^ 
verifier qui est calcuiee avec la cie de signature. 

5 

11. Dispositif pour authentifier des droits d'acces d'un utilisateur k des ressources selon la revendication 8 ou 9, dans 
lequel 

la fonction de chiffrement est du type de chiffrement k cie asynnetrique, et 
10 rinformation de caracteristique de securite individuelle (14) du dispositif est une composante de la paire de 

cies de la fonction de chiffrement. 

12. Dispositif pour authentifier des droits d'acces d'un utilisateur k des ressources selon la revendication 11, dans 
lequel 

15 

la fonction de chiffrement est du type de chiffrement k cie publlque, et 

I'information de caracteristique de securite individuelle (14) du dispositif est la cie privee de la paire de cies 
publlques de la fonction de chiffrement. 

20 13. Dispositif pour authentifier des droits d'acces d'un utilisateur k des ressources selon la revendication 8 ou 9, dans 
lequel 

la fonction de chiffrement est du type de chiffrement k cie symetrique, et 

rinformation de caracteristique de securite Individuelle (14) du dispositif est la cie commune de la fonction de 
25 chiffrement. 

14. Dispositif pour authentifier des droits d'acces d'un utilisateur k des ressources selon I'une quelconque des reven- 
dications 1^13, comprenant de plus : 

30 un dispositif de confirmation (11) comprenant le premier moyen de memoire (111), le deuxieme moyen de 

memoire (115), le troisieme moyen de memoire (113) et le moyen de generation de reponse (116); et 
un dispositif de verification (10) comprenant un quatrieme moyen de memoire pour enregistrer les donnees 
k verifier (18), un cinquieme moyen de memoire (105) pour enregistrer la reponse (19) et un moyen de veri- 
fication (106), dans lequel 

35 le dispositif de verification (1 0) transfere les donnees^ verifier (1 8) enregistrees dans le quatrieme moyen de 

memoire au premier moyen de memoire (111) du dispositif de confirmation (11), le dispositif de confirmation 
(1 1 ) transfere la reponse (19) generee par le moyen de generation de reponse (1 1 6) au cinquieme moyen de 
memoire (105) du dispositif de verification (10), et le moyen de verification (106) du dispositif de verification 
(10) verifie la legltimite de la reponse enregistree dans le cinquieme moyen de memoire (105). 

40 

15. Dispositif pour authentifier des droits d'acces d'un utilisateur k des ressources selon ta revendication 14, dans 
lequel 

rinformation de caracteristique de securite individuelle (1 4) du dispositif est une cie de chiffrement d'une fonc- 
45 tion de chiffrement, 

le dispositif de verification (10) comprend un moyen de generation de nombre aieatoire (102) pour generer 
un nombre aieatoire et I'enregistrer dans le quatrieme moyen de memoire, et 

le moyen de verification (106) verifie la legltimite de la reponse en verlflant que la reponse enregistree dans 
le cinquieme moyen de memoire (105) est Identique au chiffrement des donnees k verifier enregistrees dans 
50 le quatrieme moyen de memoire (1 03) avec la cie de chiffrement. 

16. Dispositif pour authentifier des droits d'acces d'un utilisateur k des ressources selon la revendication 14, dans 
lequel 

55 rinformation de caracteristique de securite individuelle (14) du dispositif est une cie de dechiffrement d'une 

fonction de chiffrement, 

le dispositif de verification (10) comprend un moyen de generation de nombre aieatoire (102) pour generer 
un nombre aieatoire, un sixieme moyen de memoire (103) pour enregistrer le nombre aieatoire genere et un 
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septi^me moyen de m6moire (1 22) pour enregistrer une valeur de depart pour des donn6es k verifier, et dans 
lequel 

le moyen de g6n6ration de nombre al6atoire (102) enregistre le nombre al§atoire g^n^re dans le sixi^me 
moyen de m6moire (103) en randomisant la valeur de depart pour les donn^es k verifier enregistr6e dans le 
septi^me moyen de m6moire (122) en effectuant des calculs pr6d6finis sur le nombre aleatoire enregistr6 
dans le sixi^me moyen de m^moire (103) et la valeur de depart enregistr6e dans le septi^me moyen de 
m^moire (122) et en enregistrant ensulte la valeur de depart randomls^e comme donn^es k verifier dans le 
quatri^me moyen de m6molre, et 

le moyen de verification (106) du dispositif de verification (10) d6-randomise la r6ponse enregistr§e dans le 
cinqui^me moyen de m6moire (105) en effectuant des calculs pr6d6finis sur le nombre aleatoire enregistr6 
dans le sixifeme moyen de m§moire (103) et la r^ponse enregistr^e dans le cinqui^me moyen de m6moire 
(105), et v6rifie ensuite la I6gitimit6 de la r6ponse d§-randomis6e en v6rifiant que le r^sultat d§-randomis6 
est identique au d^chiffrement de la valeur de depart enregistr§e dans le septi^me moyen de m^moire (122) 
avec la cl6 de d6chiffrement qui est I'information de caract6ristique de s6curit6 individuelle (14) du dispositif. 

17. Dispositif pour authentifier des droits d'acc^s d'un utilisateur k des ressources selon la revendication 14, dans 
lequet 

I'information de caract6ristique de s6curit6 individuelle (14) du dispositif est la cl6 de signature d'une fonction 
de signature num^rique, et 

le dispositif de verification (10) comprend un moyen de g6n6ration de nombre aleatoire (102) pour g6nerer 
un nombre aleatoire et enregistrer le nombre aleatoire g6ner6 comme donn^es k verifier dans le quatri^me 
moyen de m^moire, et dans lequel 

le moyen de verification (106) du dispositif de verification (10) v^rifie la I6gitimit6 de la reponse en v6rifiant 
que la r6ponse enregistr^e dans le cinqui^me moyen de m6moire (1 05) est identique k la signature num^rique 
pour les donn6es k verifier enregistr6es dans le quatri^me moyen de m^moire, qui est calcul6e avec la cl6 
de signature qui est I'information de caract^ristique de s6curit6 Individuelle (14) du dispositif. 

18. Dispositif pour authentifier des droits d'acc6s d'un utilisateur k des ressources selon la revendication 15, dans 
lequel 

{'information de caract^ristique de s6curit6 individuelle (14) du dispositif est la cl6 priv6e D d'une paire de cl6s 
publiques RSA avec un modulo n, et 

le moyen de verification (106) v6rifie la I6gitimit6 de la reponse en v6rifiant que la puissance E-i§me de la 
reponse R enregistr6e dans le cinqui^me moyen de m6moire (105), ou E d^signe la cle publique associ^e k 
la cl6 priv^e D, est congrue aux donn6es k verifier C enregistr^es dans le quatri^me moyen de m^moire 
modulo n, c.-^-d. modulo n = C modulo n. 

19. Dispositif pour authentifier des droits d'acc6s d'un utilisateur k des ressources selon la revendication 16, dans 
lequel 

I'information de caract6ristique de s6curit6 individuelle (14) du dispositif est la cl6 priv6e D d'une paire de cl6s 
publiques RSA avec un modulo n, 

une valeur de depart C pour des donn6es k verifier enregistr^es dans le septi^me moyen de m§moire (122) 
est un chiffrement RSA de donn^es K avec la cl6 publique E de la paire de cl§s publiques RSA, c.-^-d. DE 
modulo 0(n) = 1 , C = modulo n, 

un nombre al6atoire r g6n6r6 par le moyen de generation de nombre aieatoire (102) est enregistre dans le 
sixieme moyen de memoire (103), 

des donnees k verifier C generees et enregistrees dans le quatrieme moyen de memoire satisfont la relation 
C = r^C modulo n, et 

le moyen de verification (106) verifie la legitimite de ta reponse R enregistree dans le cinquifeme moyen de 
memoire (105) en vehfiant que le quotient de R divise par r modulo n est congru aux donnees K modulo n, 
c.-^-d. K modulo n = HR modulo n. 

20. Dispositif pour authentifier des droits d'accfes d'un utilisateur k des ressources selon la revendication 18 ou 19, 
dans lequel 

une information d'assistance de controle t (1 3) enregistree dans le troisieme moyen de memoire (113) satisfait 
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la relation t = D - e + w <I>{n), ou e d6signe une information individuelle d'identification de I'utilisateur (16) 
enregistr6e dans le deuxi^me moyen de m^moire (1 1 5), w d6signe un nombre al6atoire compatible d6termin6 
en fonction la fois de n et de e et <I>(n) d6signe le nombre d'Euler de n, et 

la r^ponse g6n6r6e par les moyen de g6n6ration de r6ponse (116) est identique k la puissance D-i6me de 
5 donn6es ^ verifier C enregistr6es dans le premier moyen de m^moire (111) modulo n, c.-^-d. R = modulo n. 

21. Dispositif pour authentifier des droits d'acc6s d'un utilisateur h des ressources selon la revendication 20, dans 
lequel 

le moyen de g6n6ratlon de r6ponse (116) comprend de plus : 

10 

un troisi§me moyen de calcul (112) pour calculer la puissance t-i6me de donn^es k verifier C enregistr^es 
dans le premier moyen de m^moire (111) modulo n, c.-^i-d. C* modulo n, ou t designe I'lnformation d'assistance 
de contrdle (13) enregistr^e dans le troisifeme moyen de m6moire (113); 

un quatri^me moyen de calcul (114) pour calculer la puissance e-i6me des donn^es k verifier C modulo n, c- 
?5 ^-d. C® modulo n, ou e d6signe I'lnformation individuelle d'identification de I'utilisateur (16) enregistr^e dans 

le deuxifeme moyen de m6moire (115); et 

un cinqui^me moyen de calcul (116) pour calculer une r^ponse R en multipliant le r6sultat calculi par le 
troisi§me moyen de calcul (112) par le r^sultat calculi par le quatri^me moyen de calcul (114) modulo n, c- 
^-d. R = C^C® modulo n. 

20 

22. Dispositif pour authentifier des droits d'acc^s d'un utilisateur k des ressources selon la revendication 21 , compre- 
nant de plus : 

un moyen de protection (160) pour empScher toute donn6e int^rieure d'§tre observ6e ou trafiqu6e de I'ex- 
t6rieur, en confinant le deuxifeme moyen de m^moire (115) et le quatrifeme moyen de calcul (114). 

25 

23. Dispositif pour authentifier des droits d'acc^s d'un utilisateur k des ressources selon la revendication 18 ou 19, 
dans lequel 

une information d'assistance de controle t (1 3) enregistr6e dans le troisi^me moyen de m^moire (113) satisfait 
30 la relation t = D + F(n, e), ou e d§signe une information individuelle d'identification de rutllisateur (16) enre- 

gistr^e dans le deuxi^me moyen de m^moire (115), et F(x, y) designe une fonction de deux variables sans 
collision, et 

une r6ponse gener^e par le moyen de g6n6ration de r6ponse (116) est identique k la puissance D-i6me de 
donn6es k verifier C enregistr^es dans le premier moyen de m6moire (111) modulo n, c.-^-d. R = modulo n. 

35 

24. Dispositif pour authentifier des droits d'acc6s d'un utilisateur k des ressources selon la revendication 23, dans 
lequel 

le moyen de generation de reponse (116) comprend de plus : 

^0 un troisi^me moyen de calcul (112) pour calculer la puissance t-i§me de donn6es k verifier C enregistr^es 

dans le premier moyen de m^moire (111) modulo n, ou t designe I'lnformation d'assistance de controle (13) 
enregistr6e dans le troisi^me moyen de m6moire (113), c.-^-d. modulo n; 

un quatri^me moyen de calcul (114) pour calculer la puissance F{n, e)-i6me des donn6es k verifier modulo 
n, c.-^-d. C^t"' e) modulo n, oij e d6signe I'information individuelle d'identification de I'utilisateur (1 6) enregistr6e 
^5 dans le deuxi^me moyen de m^moire (1 1 5) et F(x, y) d6signe une fonction de deux variables sans collision; et 

un cinqui^me moyen de calcul (1 1 6) pour calculer une r§ponse R en divisant le r^sultat calculi par le troisi^me 
moyen de calcul (112) par le r6sultat calculi par le quatridme moyen de calcul (114) modulo n, c.-^-d. R = 
CtC-F(n. e) modulo n. 

50 25. Dispositif pour authentifier des droits d'acc^s d'un utilisateur k des ressources selon la revendication 24, compre- 
nant de plus : 

un moyen de protection (160) pour empecher toute donn§e int6rieure d'etre observ6e ou trafiqu6e de I'ex- 
t^rieur, en confinant le deuxidme moyen de m6moire (115) et le quatri^me moyen de calcul (114). 

55 26. Dispositif pour authentifier des droits d'acc^s d'un utilisateur k des ressources selon la revendication 1 5, dans 
lequel 

I'lnformation de caract^ristique de s^curit^ individuelle (14) du dispositif est une cl^ D d'une paire de cl^s de 
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Pohlig-Hellman d'un modulo p, et 

le moyen de verification (106) v^rifie la I6gitimit6 de la r6ponse en v6rifiant que la puissance E-i6me de la 
r^ponse R enregistr^e dans le cinqui^me moyen de m6moire (105), oij E designs la cl§ image de la cl6 D, c- 
^-d. DE modulo (p-1) = 1, est congrue aux donnees k verifier C enregistr6es dans le quatri^me moyen de 
5 m6moire modulo p. c.-^-d. modulo p = C modulo p. 

27. Dispositif pour authentifier des droits d'acc^s d'un utilisateur k des ressources selon la revendication 16, dans 
lequel 

10 information de caract6ristique de s6curit6 individuelle (14) du dispositif est une cl6 D d'une paire de cl6s de 

Pohlig-Hellman d'un modulo p, 

une valeur de depart C pour des donnees k verifier enregistr^es dans !e septidme moyen de m^moire (422) 
est un chiffrement de Pohlig-Hellman des donnees K avec la cl6 image E de la cl6 D, c.-^-d. DE modulo (p- 
1) = 1,C' = KE modulo p, 

^5 un nombre al6atoire r g6n§r6 par le moyen de generation de nombre al6atoire (402) est enregistr6 dans te 

sixi^me moyen de m6moire (403), 

des donnees ci verifier C enregistr6es dans le quatri^me moyen de m6moire satisfont la relation C = r^C 
modulo p, et 

le moyen de verification (106) verifie la legitimite de la r6ponse R enregistr^e dans le cinqui^me moyen de 
20 m6moire (405) en verifiant que le quotient de R divis6 par r modulo p est congru aux donnees K modulo p, 

c.-^-d. K modulo p = r^R modulo p. 

28. Dispositif pour authentifier des droits d'acc^s d'un utilisateur ^'des ressources selon la revendication 26 ou 27, 
dans lequel 

25 

I'information d'assistance de controle t (13) enregistr^e dans le troisi^me moyen de memoire (413) satisfait 
la relation t = D + F(p, e), ou e d^signe I'information individuelle d'identification de I'utilisateur (1 6) enregistr6e 
dans le deuxi^me moyen de m^moire (41 5), et F(x, y) d^signe une fonction de deux variables sans collision, et 
une reponse g^neree par le moyen de generation de reponse (416) est identique k la puissance D-ieme de 
30 donnees k verifier C enregistrees dans le premier moyen de memoire (41 1 ) modulo p, c.-^-d. R = modulo p. 

29. Dispositif pour authentifier des droits d'acces d'un utilisateur k des ressources selon la revendication 28, dans 
lequel 

le moyen de generation de reponse (416) comprend de plus : 

35 

un troisieme moyen de calcul (412) pour calculer la puissance t-ieme de donnees k verifier C enregistrees 
dans le premier moyen de memoire (411) modulo p, oij t designe I'information d'assistance de contrdle (13) 
enregistree dans le troisieme moyen de memoire (413), c.-^-d. C* modulo p; 

un quatrieme moyen de calcul (414) pour calcuier la puissance F(p, e)-ieme des donnees k verifier C modulo 
40 p, c.-^-d. Cf^(P' ®) modulo p, ou e designe I'information individuelle d'identification de I'utilisateur (1 6) enregistree 

dans le deuxieme moyen de memoire (415) et F(x, y) designe une fonction de deux variables sans collision; et 
un cinquieme moyen de calcul (41 6) pour calculer une reponse R en divisant le resultat calcuie par le troisidme 
moyen de calcul (412) par le resultat calcuie par le quatrieme moyen de calcul (414) modulo p, c,-^-d. R = 
OC-^(^' e) modulo p. 

45 

30. Dispositif pour authentifier des droits d'acces d'un utilisateur k des ressources selon la revendication 29, compre- 
nant de plus : 

un moyen de protection (160) pour empecher toute donnee interieure d'etre observee ou trafiquee de I'ex- 
terieur, en confinant le deuxieme moyen de memoire (415) et le quatrieme moyen de calcul (414). 

50 

31. Dispositif pour authentifier des droits d'acces d'un utilisateur k des ressources selon la revendication 16, dans 
lequel 

information de caracteristique de securite individuelle (14) du dispositif est la cie priv6e X d'une paire de cies 
55 publiques d'EIGamal avec un modulo p et un g6nerateur G, 

la cie publique Y correspondant k X est la puissance X-ieme de G modulo p, c.-^-d. Y = G^ modulo p, 

u designe la puissance z-ieme de G modulo p (u = G^ modulo p) pour un nombre al6atoire z, 

K' designe le produit modulo p de la puissance z-ieme de Y modulo p et d'une donnee K, c.-^-d. K' = Y^K 
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modulo p, 

le septi^me moyen de m6nrioire (522) contient la paire form6e de u et de K', 

un nombre al6atoire r g6n6r6 par le moyen de g6n6ratlon de nombre al^atoire (602) est enreglstr6 dans le 
sixi^me moyen de m^moire (603), 
5 C d^signe le produit modulo p de K' et r, c.-^-d. C = rK' modulo p, 

le quatri^me moyen de m§moire contient la paire form^e de C et de u, et 

le moyen de verification (106) v^rifie la I6gltimit6 de la r6ponse R enregistr6e dans le cinqui^me moyen de 
m6moire (505) en v6rifiant que le quotient de R divis6 par r modulo p est congru k K modulo p, c.-^-d. K 
modulo p = r'lR modulo p. 

10 

32. Dispositif pour authentifier des droits d'acc^s d'un utilisateur k des ressources selon la revendication 31 , dans 
lequel 

rinformation d'assistance de controle t (13) enregistr6e dans le troisi^me moyen de m^moire (513) satisfait 
'5 la relation t = D + F(p, e). ou e d§signe I'information individuelle d'identification de I'utilisateur (16) enregistr^e 

dans le deuxi^me moyen de m6moire (515) et F(x, y) d^signe une fonction de deux variables sans collision, et 
une r§ponse R g6n6r6e par le moyen de generation de r^ponse (516) est identique au quotient de la division 
de C par la puissance X-i§me de u modulo p, c.-^-d. R = u-^C modulo p, ou la paire form^e de C et de u est 
constitute par les donntes k verifier enregistrees dans le premier moyen de mtmoire (511 ). 

20 

33. Dispositif pour authentifier des droits d'acc^s d'un utilisateur k des ressources selon la revendication 32, dans 
lequel 

le moyen de generation de reponse (516) comprend de plus : 

25 un troisieme moyen de calcul (512) pour calculer la puissance t-i^me de la composante u de la paire de 

donn6es k verifier enregistrees dans le premier moyen de memoire (511) modulo p, ou t designe I'information 
d'assistance de contr6le enregistree dans le troisieme moyen de memoire (513), c.-^-d. u* modulo p; 
un quatrieme moyen de calcul (514) pour calculer la puissance (F(p, e)-ieme de u modulo p, c.-^-d. u'^tP-®) 
modulo p, ou e designe I'information individuelle d'identification de I'utilisateur (16) enregistree le deuxieme 

30 moyen de memoire (51 5) et F(x, y) designe une fonction de deux variables sans collision; et 

un cinquieme moyen de calcul (516) pour calculer une reponse R en divisant le produit de I'autre composante 
C de la paire de dbnn6es k verifier et du resultat calcuie par le quatrieme moyen de calcul (51 4) par le resultat 
calcuie par le troisieme moyen de calcul (512) modulo p, c.-^-d. R = Cu''<P'e)u-* modulo p. 

35 34. Dispositif pour authentifier des droits d'acces d'un utilisateur k des ressources selon la revendication 33, compre- 
nant de plus : 

un moyen de protection (160) pour empecher toute donnee int6rleure d'etre observee ou trafiquee de I'ex- 
terieur, en confinant le deuxieme moyen de memoire (515) et le quatrieme moyen de calcul (514). 

40 35. Dispositif pour authentifier des droits d'acces d'un utilisateur k des ressources selon la revendication 17, dans 
lequel 

rinformation de caractehstique de securite individuelle (14) du dispositif est la cie de signature X d'une paire 
de cies publiques d'EIGamal avec un modulo p et un generateur G, 

^5 la cie publique Y correspondant k X est la puissance X-ieme de G modulo p, c.-^-d. Y = modulo p, 

une reponse enregistree dans le cinquieme moyen de memoire (605) est une paire formee de R et de S, et 
le moyen de verification (606) verifie la legitimite de la reponse R enregistree dans le cinquieme moyen de 
memoire (605) en verifiant que la puissance C-ieme de G pour les donnees k verifier C enregistrees dans le 
quatrieme moyen de memoire est congrue modulo p au produit de la puissance R-ieme de Y et de la puissance 

50 S-ieme de R, c.-^-d. G^ modulo p = Y^^RS modulo p. 

38. Dispositif pour authentifier des droits d'acces d'un utilisateur k des ressources selon la revendication 35, dans 
lequel 

55 I'information d'assistance de controle t (13) enregistree dans le troisieme moyen de memoire (613) satisfait 

la relation t = D + F(p, e), ou e designe I'information individuelle d'identification de I'utilisateur (1 6) enregistree 
dans le deuxieme moyen de memoire (616), et F(x, y) designe une fonction de deux variables sans collision, et 
le moyen de generation de reponse (116) g6nere une paire de reponses R et S en effectuant les operations 



44 



EP 0 792 044 B1 



suivantes consistant k : 

g6n6rer un nombre al6atoire k; 

calculer R comme la puissance k-i^me de G modulo p, c.-^-d. R = G*^ modulo p; et 
calculer S selon la relation S = (C - RX) tc^ modulo {p-1). 

37. Disposltif pour authentifier des droits d'acc^s d'un utilisateur ^ des ressources selon la revendication i36, compre- 
nant de plus : 

un moyen de protection (160) pour emp^cher toute donn^e int^rieure d'§tre observ6e ou trafiqu^e de I'ex- 
t6rieur, en confinant le deuxi^me moyen de m6moire (616) et le quatrl6me moyen de calcul (614). 

38. Dispositif pour authentifier des droits d'acc^s d'un utilisateur ^ des ressources selon la revendication 4, dans lequel 

I'information individuelle d'identification de Tutllisateur (16) enregistr6e dans le deuxi^me moyen de m6moire 
(71 5) est une cl6 de d6chiffrement d'une fonction de chiffrement, 

I'information d'assistance de contrSle (13) enregistr6e dans le troisidme moyen de m^moire (713) est un chif- 
frement de I'information de caract^ristlque de s6curit6 individuelle du dispositif avec la cl§ de chiffrement 
correspondant k la cI6 de d^chiffrement, et 

le premier moyen de calcul (712) calcule I'information de caract6ristique de s6curit§ individuelle (14) du dis- 
positif en d^ch iff rant I'information d'assistance de controle enregistree dans le troisi^me moyen de m§moire 
(713) avec la cl6 de d^chiffrement enregistree dans le deuxi^me moyen de m6moire (715). 

39. Dispositif pour authentifier des droits d'acces d'un utilisateur ^ des ressources selon la revendication 38, dans 
lequel 

la fonction de chiffrement est du type de chiffrement k cl6 asym^trique, et 

I'information individuelle d'identification de I'utilisateur (1 6) est une composante de la paire de cl6s de la fonc- 
tion de chiffrement. 

40. Dispositif pour authentifier des droits d'acces d'un utilisateur k des ressources selon la revendication 39, dans 
lequel 

la fonction de chiffrement est du type de chiffrement k cl6 publique, et 

I'information individuelle d'identification de I'utilisateur (16) est la cl6 priv6e de la paire de cl6s publiques de 
la fonction de chiffrement. 

41. Dispositif pour authentifier des droits d'accfes d'un utilisateur k des ressources selon la revendication 38, dans 
lequel 

la fonction de chiffrement est du type de chiffrement k cl6 sym6trique, et 

I'information individuelle d'identification de I'utilisateur (16) est la cl6 secrete commune de la fonction de chif- 
frement. 

42. Dispositif pour authentifier des droits d'acces d'un utilisateur k des ressources selon la revendication 8 ou 1 6, dans 
lequel 

le dispositif de verification (10) comprend de plus : 

un huiti^me moyen de m^moire (310a) pour enregistrer un chiffrement de donn6e en clair dont sont les don- 
n6es k verifier ou la valeur de depart pour des donn6es k verifier enregistr6es dans le premier moyen de 
memoire (111); et 

un moyen de comparaison (31 Ob) pour examiner si les donn6es en clair enregistr§es dans le huitifeme moyens 
de m6moire (31 Oa) sont identiques aux donn^es introduites dans le moyen de comparaison (310b), et dans 
lequel 

le moyen de verification (1 06) transmet la r^ponse ou la valeur d6-randomis6e de la r^ponse enregistree dans 
le cinquieme moyen de memoire (105) au moyen de comparaison (310b), regoit la reponse du moyen de 
comparaison (310b), et le moyen de verification (106) verifie ainsi la legitimite de la reponse si et seulement 
si la reponse regue montre que les donnees en clair enregistrees dans le huitieme moyen de memoire (310a) 
sont identiques aux donnees introduites dans le moyen de comparaison (310b). 
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43. Dispositif pour authentifier des droits d'acc^s d'un utilisateur k des ressources selon la revendication 8 ou 1 6, dans 
lequel 

le dispositif de verification (10) comprend de plus : 

un neuvi^me moyen de m^moire (310a) pour enregistrer une valeur obtenue en appliquant una fonction uni- 
directionnelle au chiffrement des donn6es en clair dont sont les donn6es k verifier ou la valeur de depart pour 
des donn^es k verifier enregistr6es dans le septi^me moyen de m6moire (122); 

un sixi^me moyen de calcul (310c) pour 6mettre une valeur calcul6e en s'appliquant la fonction unidirection- 
nelle k des donn^es introduites; et 

un moyen de comparaison (31 Ob) pour examiner si la valeur enregistr6e dans le neuvi^me moyen de m^moire 
(310a) est identique aux donn^es introduites dans le moyen de comparaison (31 Ob), et dans lequel 
le moyen de verification (1 06) transmet la r^ponse ou la valeur d6-randomis6e de la r6ponse au sixi^me moyen 
de calcul (310c), regoit un r6sultat du sixi^me moyen de calcul (310c), transmet le r6sultat au moyen de 
comparaison (31 Ob) et regoit une r^ponse du moyen de comparaison (31 Ob), et le moyen de verification (1 06) 
v6rifie ainsi la iegitimit§ de la reponse si et seulement si la r6ponse regue montre que le r^sultat du calcul 
effectue par le sixi^me moyen de calcul (310c) est identique aux donn^es enregistr6es dans le neuvidme 
moyen de m6moire (310a). 

44. Dispositif pour authentifier des droits d'acc^s d'un utilisateur k des ressources selon la revendication 8 ou 1 6, dans 
lequel 

le dispositif de verification (10) comprend de plus : 

un moyen d'execution de programme (31 0) pour ex^cuter un code d'un chiffrement de programme dont sont 
les donnees k verifier enregistr^es dans le septi^me moyen de memoire (122), et dans lequel 
le moyen de verification (106) transmet la reponse enregistree dans le cinquieme moyen de memoire (105) 
comme code de programme au moyen d'execution de programme (310), et 

le moyen d'execution de programme (310) fonctionne correctement si et seulement si le moyen de generation 
de reponse (116) dechiff re correctement les donnees k verifier qui sont un chiffrement du code du programme, 
c.-^-d. si le chiffrement du programme est correctement dechiffre. 

45. Dispositif pour authentifier des droits d'acc^s d'un utilisateur k des ressources selon la revendication 8 ou 1 6, dans 
lequel 

le dispositif de verification (1 0) comprend de plus : 

un moyen d'execution de programme (31 0); 

un moyen d'enregistrement de programme (31 Og); et 

un moyen de dechiffrement de programme (31 Oh), et dans lequel 

le moyen d'enregistrement de programme (31 Og) enregistre un code d'un programme dont tout ou une partie 
est chiffre, 

un chiffrement de la cie de dechiffrement pour le code de programme partiellement ou totalement chiffre est 
constitue par les donnees k verifier enregistrees dans le septi^me moyen de memoire (1 22), 
le moyen de verification (106) transmet la reponse au moyen de dechiffrement de programme (31 Oh), 
le moyen de dechiffrement de programme (31 Oh) dechiffre le programme enregistre dans le moyen d'enre- 
gistrement de programme (31 Og) avec la reponse comme cie de dechiffrement, et 

le moyen d'execution de programme (31 0) execute correctement le programme dechiffre si et seulement si 
le moyen de generation de reponse (116) dechiffre correctement les donnees k verifier, c.-^-d. si la cie de 
dechiffrement pour dechiffrer le chiffrement du programme est correctement dechiffree. 

46. Dispositif pour authentifier des droits d'acces d'un utilisateur k des ressources selon la revendication 14, dans 
lequel 

le dispositif de confirmation (1 1 ) et le dispositif de verification (10) sont instalies dans un materiel sous boTtier, et 
le dispositif de confirmation (10) transffere les donnees k verifier (18) enregistrees dans le quatrieme moyen 
de memoire au premier moyen de memoire (111) du dispositif de confirmation (11) et le dispositif de confir- 
mation (11) transfere la reponse (19) generee par le moyen de generation de reponse (116) au cinquieme 
moyen de memoire (1 05) du dispositif de verification (1 0) sans utiliser de reseau de communication k I'exterieur 
du materiel sous boitier. 
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47. Proc6d6 pour authentif ier des droits d'acc^s d'un utiltsateur ^ des ressources en v6rif iant la I6gitimit6 d'une r^ponse 
g6n§r6e k partir de donn^es ^ verifier pour confirmer les droits d'acc^s de I'utilisateur, comprenant : 

une operation consistent k enregistrer les donn6es k verifier; 
5 une operation consistent k enregistrer une information individuelle d'identification de I'utilisateur; 

une operation consistent k enregistrer une information d'assistance de contrdle qui est un r6sultat de calculs 
pr6d6termin6s effectu6s sur I'information individuelle d'identification de Tutilisateur et I'information de carac- 
t^ristique de s6curit6 individuelle; 

une operation consistent k g6n6rer une r6ponse en effectuant des cetculs pr6d6termin6s sur les donn6es k 
'0 verifier, I'information individuelle d'identificetion de I'utiliseteur et I'informetion d'essistance de controle; et 

une operation consistent ci verifier le I6gitimit6 de la r6ponse en v^rifiant que la r6ponse, les donn6es k verifier 
et information de carect^rlstique de s6curit6 individuelle setisfont une relation pr6d6finie particuli^re. 

48. Produit sous forme de programme d'ordineteur destine k §tre utilise avec un ordineteur, le produit sous forme de 
'5 programme d'ordineteur comprenant : 

un support d'information utiliseble per un ordineteur eyent un moyen de code de programme lisible par or- 
dineteur incorpor6 eu support d'information pour feire g^n^rer k I'ordineteur une r^ponse (1 9) k pertir de donn6es 
k verifier (1 8) dont le I^gitimite doit etre v6rifi6e pour euthentifier des droits d'ecc^s d'un utilisateur, le produit sous 
forme de progremme d'ordineteur poss6dent : 

20 

un moyen de code de programme lisible per ordineteur pour feire enregistrer k I'ordineteur les donn6es k 
verifier (18); 

un moyen de code de progremme lisible per ordineteur pour feire enregistrer k I'ordinateur une informetion 
individuelle d'identificetion de I'utiliseteur (1 6); 

25 un moyen de code de progremme lisible per ordineteur pour feire enregistrer k I'ordinateur une informetion 

d'assistance de controle (1 3) qui est le r6suitat de celculs pr6d6termin6s effectu6s sur I'informetion individuelle 
d'identificetion de I'utiliseteur (16) et I'informetion de cerect6ristique de s6curit6 individuelle (14); et 
un moyen de code de programme lisible per ordineteur pour feire g6n6rer k I'ordineteur une r^ponse (19) en 
effectuent des celculs pr6d6termin6s sur les donn6es k verifier (18), I'informetion individuelle d'identification 

30 de I'utilisateur (16) et Tinformation d'assistance de contrdle (13). 

49. Produit sous forme de programme d'ordineteur selon le revendicetion 48, comprenent : 

un moyen de code de programme lisible per ordineteur pour feire verifier k I'ordinateur la I§gitimit6 de le 
r^ponse (19) en v^rifiant que le r^ponse (19), les donn§es k verifier (18) et I'informetion de cerect6ristique de 
35 s^curite individuelle (14) setisfont une reletion pr^definie perticulifere. 

50. Dispositif de commende d'ex6cution de programme pour euthentifier des droits d'ecc^s d'un utiliseteur k des res- 
sources en v^rifient le I6gitimit6 d'une r6ponse gen6r6e k partir de donn6es k verifier pour confirmer les droits 
d'ecc^s de rutilisateur et commander I'ex^cution d'un progremme en fonction de I'euthentificetion des droits d'ec- 

40 cks de I'utiliseteur, comprenent un dispositif tel que d6fini dens I'une quelconque des revendicetions 1 ^ 46 et 

un moyen de continuation pour continuer Tex^cution du programme si la I6gitimit§ de le r^ponse est v6rifi6e. 

51. Dispositif informetique servent k euthentifier des droits d'accfes d'un utilisateur k des ressources de traitement de 
I'informetion pertlculi^res en v§rifient le I6gitimit6 d'une r§ponse (1 9) g^ner^e pour confirmer les droits d'ecc^s de 

45 I'utiliseteur et permettre I'ecc^s aux ressources de treitement de I'information perticuli^res, comprenent un dispositif 

tel que d6fini dans I'une quelconque des revendicetions 1 ^ 46 et 

un moyen d'autorisetion pour permettre I'acc^s aux ressources de traitement de I'information particuli^res 
si la l^gitimit^ de le r^ponse est v4rifi6e. 

50 
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